CVE-2025-13217 is a stored cross-site scripting vulnerability affecting the Ultimate Member plugin for WordPress, which manages user profiles, registration, login, member directories, content restriction, and memberships. The flaw exists in the handling of the YouTube video 'value' field within the `um_profile_field_filter_hook__youtube_video()` function. Specifically, the plugin fails to properly sanitize and escape user-supplied YouTube video URLs before rendering them on profile pages. Authenticated attackers with at least Subscriber-level privileges can exploit this by injecting malicious JavaScript code into their own profile's YouTube video field. When other users or administrators view the infected profile page, the malicious script executes in their browsers. This can lead to theft of session cookies, redirection to malicious sites, or execution of unauthorized actions on behalf of the victim. The vulnerability is remotely exploitable over the network without user interaction, with a low attack complexity and privileges required. The CVSS v3.1 score is 6.4, reflecting medium severity with partial impact on confidentiality and integrity but no impact on availability. No patches were linked at the time of publication, and no known exploits have been observed in the wild. The vulnerability highlights the risks of insufficient input validation and output encoding in web applications, especially in widely used WordPress plugins that handle user-generated content.

For European organizations, this vulnerability poses a significant risk to websites using the Ultimate Member plugin, particularly those that allow public or semi-public user profiles with embedded YouTube videos. Exploitation could lead to session hijacking, unauthorized access, and data leakage, undermining user trust and potentially violating GDPR requirements regarding data protection and breach notification. Organizations in sectors such as education, membership-based services, and community platforms that rely on this plugin may face reputational damage and operational disruption. The medium severity rating indicates that while the vulnerability does not directly affect availability, the compromise of confidentiality and integrity can facilitate further attacks or data exfiltration. Given the plugin's popularity in WordPress ecosystems, a large number of European websites could be exposed, increasing the attack surface for threat actors targeting European users and organizations.

Immediate mitigation steps include monitoring for plugin updates from Ultimate Member and applying patches as soon as they are released. Until an official patch is available, administrators should consider disabling the YouTube video profile field or restricting its use to trusted users only. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the YouTube video field can reduce risk. Additionally, site owners can apply custom input validation and output encoding on the YouTube video URLs to sanitize inputs and prevent script execution. Regular security audits and user privilege reviews should be conducted to minimize the number of users with elevated permissions. Educating users about the risks of injecting untrusted content and monitoring logs for unusual profile updates can also help detect exploitation attempts early.