CVE-2025-64291

Vulnerability

Overview The Premmerce User Roles plugin for WordPress versions up to and including 1.0.13 suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an authenticated attacker with sufficient privileges to inject arbitrary JavaScript or HTML into the plugin's pages, which is then stored and executed in the browsers of other users visiting the affected site.

Exploitation

Conditions Exploitation requires an authenticated user with the appropriate role (as defined by the plugin) to inject the malicious payload. The vulnerability is triggered when a privileged user performs an action such as clicking a link or submitting a form, but the stored script will execute for any visitor to the compromised page [1]. This makes it a stored XSS, which is more dangerous than reflected XSS as it persists without requiring further user interaction from the victim.

Impact

Successful exploitation could allow an attacker to inject malicious scripts that perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies and other sensitive information [1]. The CVSS score of 5.9 (Medium) reflects the need for authenticated access but the potential for widespread impact on site visitors.

Mitigation

The vulnerability has been patched in version 1.0.14 of the plugin. Users are strongly advised to update immediately. For those unable to update, consulting with a hosting provider or web developer is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins.