What the vulnerability does
01Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when "HTML support for user description" is enabled in Ultimate Member settings.
Explanation of Vulnerability in Simple Terms
02Summary
Ultimate Member versions up to 2.11.1 contain a stored cross-site scripting (XSS) vulnerability. An authenticated user can inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability affects the plugin's scope across the site, potentially compromising user sessions and data. Update to a version newer than 2.11.1 to remediate.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in other users' browsers when they view affected pages.
Potential impact on your site
04Site Impact
Authenticated users can inject code affecting other site visitors; may lead to session hijacking or credential theft.
Conditions required to exploit
05Prerequisites
Attacker must have a user account on the site (low privilege level). No user interaction required.
Key dates
06Disclosure timeline
April 4, 2026
CVE published
April 8, 2026
Record updated
