Impact
The vulnerability arises because the Ultimate Member WordPress plugin, before version 2.12.0, fails to properly sanitize and escape custom textarea profile fields. Authenticated users holding Subscriber‑level access or higher can inject JavaScript that is stored and subsequently executed whenever any user—including administrators—views the affected profile. This provides an attacker with the ability to run code in the victim’s browser context, potentially allowing cookie theft, session hijacking, or other malicious actions designed for the profile owner’s privileges. The CVSS score of 8 indicates a high severity impact on confidentiality, integrity, and availability of the website’s users.
Affected Systems
All WordPress sites that have installed the Ultimate Member plugin with a version earlier than 2.12.0 and are using custom textarea profile fields. The specific version numbers are not listed, so any installation of the plugin predating 2.12.0 is considered vulnerable.
Risk and Exploitability
With an EPSS score of less than 1%, current public exploitation probability is low, and the vulnerability does not appear in the CISA KEV catalog. Nevertheless, exploitation requires an authenticated account with Subscriber access, which is typically widely available in many sites. Once injected, the script runs under the context of the profile viewer, giving attackers a reliable, persistent attack vector that can affect administrators and other privileged users. There are no known public exploits, but the potential for internal or targeted attacks remains high.
OpenCVE Enrichment