Skip to main content

Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin

2 CVEs product

Monthly

CVE-2026-8489 MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity once a subscriber account is obtained.

WordPress XSS Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-7761 HIGH This Week

Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. No public exploit identified at time of analysis, though Wordfence has published detailed technical write-ups that significantly lower the bar for weaponization.

WordPress Authentication Bypass Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD
CVSS 3.1
8.8
EPSS
0.5%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity once a subscriber account is obtained.

WordPress XSS Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. No public exploit identified at time of analysis, though Wordfence has published detailed technical write-ups that significantly lower the bar for weaponization.

WordPress Authentication Bypass Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy