Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DaleAB Membee Login membees-member-login-widget allows Reflected XSS.This issue affects Membee Login: from n/a through <= 2.3.6.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation, which allows a reflected XSS attack. An attacker can inject malicious scripts that will execute in the context of the victim’s browser, potentially enabling session hijacking, defacement, or permission escalation. This flaw is identified as CWE‑79.

Affected Systems

The affected product is the DaleAB Membee Login WordPress plugin, versions from the initial release through 2.3.6.

Risk and Exploitability

The CVSS score is 7.1, indicating high impact. The EPSS score is <1%, showing very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Because it is a reflected XSS, an attacker can craft a malicious URL that injects script into the plugin’s input handling. Based on the description, it is inferred that exploitation requires user interaction but is straightforward to execute.

Generated by OpenCVE AI on April 29, 2026 at 11:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Membee Login plugin version newer than 2.3.6 if available.
  • If an immediate upgrade is not possible, sanitize all input to the plugin and escape any output with proper WordPress functions such as wp_kses.
  • Consider disabling the Membee Login widget on public pages or restricting its use until a patch is applied.
  • Optionally, deploy a Web Application Firewall rule to block known XSS payloads targeting the plugin.

Generated by OpenCVE AI on April 29, 2026 at 11:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Daleab
Daleab membee Login
Wordpress
Wordpress wordpress
Vendors & Products Daleab
Daleab membee Login
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DaleAB Membee Login membees-member-login-widget allows Reflected XSS.This issue affects Membee Login: from n/a through <= 2.3.6.
Title WordPress Membee Login plugin <= 2.3.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Daleab Membee Login
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:03:07.484Z

Reserved: 2025-12-24T14:00:10.432Z

Link: CVE-2025-68844

cve-icon Vulnrichment

Updated: 2026-02-23T21:46:19.239Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:13.133

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:15:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')