CVE-2013-4954

Name of the Vulnerable Software and Affected Versions Pie-Register plugin versions prior to 1.31

Description The issue allows remote attackers to inject arbitrary web script or HTML via the pass1 or pass2 parameter in a register action, when "Allow New Registrations to set their own Password" is enabled.

Recommendations For Pie-Register plugin versions prior to 1.31, update to version 1.31 or later to resolve the issue. As a temporary workaround, consider disabling the "Allow New Registrations to set their own Password" feature until a patch is available. Restrict access to the register action to minimize the risk of exploitation. Avoid using the pass1 and pass2 parameters in the affected API endpoint until the issue is resolved.