A Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress Restrict Plugin. This vulnerability could allow an attacker to inject malicious scripts into the affected website, potentially compromising the security of the website and its visitors.

This security vulnerability was initially discovered and reported by thiennv.

The vulnerability is an XSS vulnerability that occurs in the restrict.php file. The vulnerability allows an attacker to inject malicious scripts into the affected website by exploiting a flaw in the way that the plugin handles user input.


The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

Regrettably, there is currently no patched version available to address this vulnerability in the Restrict Plugin. This leaves websites using this plugin vulnerable to potential attacks.


An attacker who successfully exploits this vulnerability could inject malicious scripts into the affected website, such as:

  • Redirects
  • Advertisements
  • Other HTML payloads

These malicious scripts could then be executed by visitors to the website, potentially leading to a variety of security risks, such as:

  • Phishing attacks
  • Malware infections
  • Identity theft


Considering the critical nature of this vulnerability and the absence of a patched version, strongly recommend the following actions:

  • Disable the Plugin: Given the absence of a security fix, consider disabling the Restrict Plugin from the website until a patched version is provided. This step can help mitigate the potential risks associated with the vulnerability.
  • Stay Informed: Staying informed about any potential patches or fixes that may be released is essential for maintaining the website’s security.