Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L confirmed by subscriber-level requirement; S:C reflects cross-origin script execution in victim browser; UI:N applied per stored XSS convention where payload fires on normal page load without attacker-directed victim interaction.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'about_me' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an attacker to hold at minimum a subscriber-level WordPress account on the target site (PR:L per CVSS vector); this is the critical prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 Medium score is driven by S:C (the payload crosses into the victim's browser security context) and PR:L (only a subscriber account is required), partially offset by C:L and I:L individual impact ratings. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker self-registers a free subscriber account on a WordPress site running Ultimate Member ≤ 2.11.4 and submits a profile update with a JavaScript payload (e.g., a cookie-harvesting script) embedded in the 'about_me' field. When a site administrator reviews member profiles - a routine administrative task - the payload silently executes in the admin's browser, exfiltrating their session cookie to an attacker-controlled endpoint and enabling the attacker to authenticate as the administrator and take full control of the site. … |
| Remediation | No fixed version is confirmed in the available intelligence data - the Wordfence advisory and Trac references only document vulnerable code at versions 2.11.2 and 2.11.4, with no patched release version cited. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41486
GHSA-whj4-pc5c-c7xq