CVE-2025-13217 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Ultimate Member WordPress plugin, which is widely used for user profile management, registration, login, member directories, content restriction, and membership functionalities. The vulnerability exists in all versions up to and including 2.11.0 due to insufficient input sanitization and output escaping in the function `um_profile_field_filter_hook__youtube_video()`. This function processes user-supplied YouTube video URLs embedded in profile fields. Authenticated attackers with at least Subscriber-level privileges can exploit this flaw by injecting malicious JavaScript code into the YouTube video 'value' field. When other users visit the attacker’s profile page, the injected script executes in their browsers, enabling attacks such as session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability does not require user interaction beyond visiting the profile page and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity and privileges required, but no user interaction is needed. The scope is changed as the vulnerability affects other users viewing the compromised profile. No known public exploits or patches are currently available, increasing the urgency for proactive mitigation. The plugin’s popularity in WordPress ecosystems makes this a relevant threat for many organizations relying on it for membership and user management.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of user data on WordPress sites using the Ultimate Member plugin. Attackers can leverage the stored XSS to hijack user sessions, steal sensitive information, or perform actions with the victim’s privileges, potentially leading to account compromise or data leakage. Organizations with public-facing membership or community sites are particularly vulnerable, as the malicious payload executes when other users access the attacker’s profile. This can erode user trust, damage brand reputation, and lead to regulatory compliance issues under GDPR if personal data is exposed or manipulated. The medium severity score indicates a moderate but tangible risk, especially given the ease of exploitation by low-privileged authenticated users. The lack of known exploits in the wild suggests the vulnerability is not yet widely weaponized, but the potential for targeted attacks remains. Disruption of service is unlikely, but the integrity and confidentiality impacts are notable. The threat is more acute for organizations with large user bases and active community engagement.

1. Monitor for and apply official patches or updates from the Ultimate Member plugin vendor as soon as they become available to remediate the vulnerability. 2. Until a patch is released, restrict the ability to add or edit YouTube video URLs in profile fields to trusted users only, or disable this feature if feasible. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injection attempts targeting the YouTube video field in profile submissions. 4. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and restrict sources of executable content on profile pages. 5. Conduct regular security audits and code reviews of customizations related to user input handling in the plugin. 6. Educate site administrators and users about the risks of XSS and encourage vigilance when reviewing user-generated content. 7. Consider additional output encoding or sanitization layers at the application or server level to mitigate injection risks. 8. Monitor logs for unusual activity related to profile updates or script execution errors that may indicate exploitation attempts.