Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
Monthly
Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity once a subscriber account is obtained.
Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. No public exploit identified at time of analysis, though Wordfence has published detailed technical write-ups that significantly lower the bar for weaponization.
Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity once a subscriber account is obtained.
Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. No public exploit identified at time of analysis, though Wordfence has published detailed technical write-ups that significantly lower the bar for weaponization.