Description
The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
Published: 2026-07-06
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the Ultimate Member WordPress plugin, before version 2.12.0, fails to properly sanitize and escape custom textarea profile fields. Authenticated users holding Subscriber‑level access or higher can inject JavaScript that is stored and subsequently executed whenever any user—including administrators—views the affected profile. This provides an attacker with the ability to run code in the victim’s browser context, potentially allowing cookie theft, session hijacking, or other malicious actions designed for the profile owner’s privileges. The CVSS score of 8 indicates a high severity impact on confidentiality, integrity, and availability of the website’s users.

Affected Systems

All WordPress sites that have installed the Ultimate Member plugin with a version earlier than 2.12.0 and are using custom textarea profile fields. The specific version numbers are not listed, so any installation of the plugin predating 2.12.0 is considered vulnerable.

Risk and Exploitability

With an EPSS score of less than 1%, current public exploitation probability is low, and the vulnerability does not appear in the CISA KEV catalog. Nevertheless, exploitation requires an authenticated account with Subscriber access, which is typically widely available in many sites. Once injected, the script runs under the context of the profile viewer, giving attackers a reliable, persistent attack vector that can affect administrators and other privileged users. There are no known public exploits, but the potential for internal or targeted attacks remains high.

Generated by OpenCVE AI on July 6, 2026 at 17:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ultimate Member plugin to version 2.12.0 or newer to apply the vendor fix for the stored‑XSS issue.
  • If an upgrade is not immediately possible, disable or delete any custom textarea profile fields until the patch is applied, so that no unfiltered user input can be stored in these fields.
  • Configure the plugin or WordPress to escape or strip JavaScript from custom profile fields by enabling output sanitization or using a security plugin’s XSS protection features.

Generated by OpenCVE AI on July 6, 2026 at 17:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 06 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Ultimatemember
Ultimatemember ultimate Member
Wordpress
Wordpress wordpress
Vendors & Products Ultimatemember
Ultimatemember ultimate Member
Wordpress
Wordpress wordpress

Mon, 06 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
Title Ultimate Member < 2.12.0 - Subscriber+ Stored XSS via Custom Textarea Profile Fields
References

Subscriptions

Ultimatemember Ultimate Member
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-06T12:02:30.806Z

Reserved: 2026-06-09T09:51:17.031Z

Link: CVE-2026-11766

cve-icon Vulnrichment

Updated: 2026-07-06T12:02:22.314Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')