CVE-2025-13217 is a stored cross-site scripting vulnerability identified in the Ultimate Member WordPress plugin, which provides user profile, registration, login, member directory, content restriction, and membership management functionalities. The vulnerability exists in all versions up to and including 2.11.0 due to insufficient input sanitization and output escaping in the function `um_profile_field_filter_hook__youtube_video()`. This function processes user-supplied YouTube video URLs for profile fields. Authenticated attackers with at least Subscriber-level privileges can exploit this flaw by injecting malicious JavaScript code into the YouTube video 'value' field. Because the injected script is stored persistently, it executes whenever any user views the attacker's profile page, enabling a range of attacks such as session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser session. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges, no user interaction, and a scope change. There are no known public exploits or patches currently available, increasing the urgency for organizations to implement mitigations. The vulnerability falls under CWE-79, highlighting improper neutralization of input during web page generation. Given the widespread use of WordPress and the popularity of the Ultimate Member plugin, this vulnerability poses a significant risk to websites relying on this plugin for user management.

The impact of CVE-2025-13217 is primarily on the confidentiality and integrity of user data and sessions. Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the context of other users viewing the compromised profile, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of victims. This can result in account compromise, privilege escalation, and further lateral movement within the affected website. Since the vulnerability requires only Subscriber-level access, it lowers the barrier for exploitation compared to vulnerabilities requiring administrative privileges. The scope change indicated in the CVSS vector means the vulnerability can affect components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site and its users. Although availability is not directly impacted, the reputational damage and potential data breaches can have severe consequences for organizations. Given the plugin's role in membership and content restriction, exploitation could undermine access controls and user trust.

To mitigate CVE-2025-13217, organizations should first monitor for and apply any official patches or updates released by the Ultimate Member plugin developers as soon as they become available. In the absence of patches, administrators should implement strict input validation and sanitization on the YouTube video URL fields, ensuring that only valid URLs are accepted and that any embedded scripts or HTML are neutralized. Output encoding should be applied when rendering user-supplied data to prevent script execution. Restricting the ability to add or edit YouTube video fields to trusted roles above Subscriber can reduce risk. Employing Web Application Firewalls (WAFs) with rules targeting stored XSS payloads can provide additional protection. Regularly auditing user-generated content and monitoring logs for suspicious activity related to profile updates is recommended. Educating users about the risks of clicking on untrusted profile links and encouraging the use of security headers such as Content Security Policy (CSP) can further reduce exploitation impact. Finally, consider disabling or limiting the use of the YouTube video profile field if it is not essential to reduce the attack surface.