CVE-2025-60102

The WPFront User Role Editor plugin for WordPress suffers from a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 4.2.3. The plugin fails to properly neutralize input during web page generation, allowing attackers to inject malicious scripts that are stored on the server and later executed in the context of a user's browser [1].

Exploitation requires an authenticated user with the ability to edit user roles (such as an administrator). An attacker can inject arbitrary JavaScript or HTML into the plugin's fields, such as role names or descriptions. Once stored, the payload is triggered when any user visits a page that renders the injected content, such as the user role management interface or other front-end pages [1].

Successful exploitation enables the attacker to perform actions like redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing sensitive information such as session cookies. The CVSS v3 score is 6.5 (Medium), reflecting the need for authentication but the potential for widespread impact on site visitors [1].

The vulnerability is addressed in version 4.2.4 of the plugin. Users are strongly advised to update immediately. For those unable to update, implementing a web application firewall or restricting access to the plugin's functionality may serve as a temporary workaround [1].