Skip to main content

Ultimate Member EUVDEUVD-2026-41486

| CVE-2026-8489 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-03 Wordfence GHSA-whj4-pc5c-c7xq
6.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

PR:L confirmed by subscriber-level requirement; S:C reflects cross-origin script execution in victim browser; UI:N applied per stored XSS convention where payload fires on normal page load without attacker-directed victim interaction.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 05:47 vuln.today
CVE Published
Jul 03, 2026 - 04:30 cve.org
MEDIUM 6.4

DescriptionNVD

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'about_me' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Self-register subscriber account on target site
Delivery
Inject malicious JavaScript into 'about_me' profile field
Exploit
Payload persisted to WordPress database via UM form pipeline
Execution
Admin or user navigates to attacker's profile page
Persist
Stored script executes in victim's browser context
Impact
Session token or credentials exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Requires an attacker to hold at minimum a subscriber-level WordPress account on the target site (PR:L per CVSS vector); this is the critical prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 Medium score is driven by S:C (the payload crosses into the victim's browser security context) and PR:L (only a subscriber account is required), partially offset by C:L and I:L individual impact ratings. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker self-registers a free subscriber account on a WordPress site running Ultimate Member ≤ 2.11.4 and submits a profile update with a JavaScript payload (e.g., a cookie-harvesting script) embedded in the 'about_me' field. When a site administrator reviews member profiles - a routine administrative task - the payload silently executes in the admin's browser, exfiltrating their session cookie to an attacker-controlled endpoint and enabling the attacker to authenticate as the administrator and take full control of the site. …
Remediation No fixed version is confirmed in the available intelligence data - the Wordfence advisory and Trac references only document vulnerable code at versions 2.11.2 and 2.11.4, with no patched release version cited. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41486 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy