CVE-2025-15064: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ultimatemember Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when "HTML support for user description" is enabled in Ultimate Member settings.
AI Analysis
Technical Summary
The Ultimate Member plugin for WordPress suffers from a stored XSS vulnerability (CWE-79) due to improper neutralization of input in the user description field. This allows authenticated users with at least subscriber privileges to inject arbitrary web scripts if the plugin's HTML support for user descriptions is enabled. These scripts execute in the context of other users viewing the injected content, potentially leading to information disclosure or session hijacking. The vulnerability affects all versions up to and including 2.11.1. No official patch or remediation level has been published as of the data provided.
Potential Impact
Successful exploitation allows an authenticated user to inject and execute arbitrary scripts in the context of other users viewing the affected pages. This can lead to limited confidentiality and integrity impacts, such as theft of user session tokens or manipulation of displayed content. There is no impact on availability. The vulnerability requires subscriber-level access and the enabling of HTML support for user descriptions, limiting the attack surface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling the "HTML support for user description" setting in Ultimate Member to prevent exploitation. Additionally, restrict user roles and permissions to minimize exposure. Monitor official Ultimate Member communications for updates on patches or fixes.
CVE-2025-15064: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ultimatemember Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when "HTML support for user description" is enabled in Ultimate Member settings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Ultimate Member plugin for WordPress suffers from a stored XSS vulnerability (CWE-79) due to improper neutralization of input in the user description field. This allows authenticated users with at least subscriber privileges to inject arbitrary web scripts if the plugin's HTML support for user descriptions is enabled. These scripts execute in the context of other users viewing the injected content, potentially leading to information disclosure or session hijacking. The vulnerability affects all versions up to and including 2.11.1. No official patch or remediation level has been published as of the data provided.
Potential Impact
Successful exploitation allows an authenticated user to inject and execute arbitrary scripts in the context of other users viewing the affected pages. This can lead to limited confidentiality and integrity impacts, such as theft of user session tokens or manipulation of displayed content. There is no impact on availability. The vulnerability requires subscriber-level access and the enabling of HTML support for user descriptions, limiting the attack surface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling the "HTML support for user description" setting in Ultimate Member to prevent exploitation. Additionally, restrict user roles and permissions to minimize exposure. Monitor official Ultimate Member communications for updates on patches or fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-23T21:58:02.545Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d0c19a0a160ebd92d7462d
Added to database: 4/4/2026, 7:45:30 AM
Last enriched: 4/11/2026, 8:54:09 AM
Last updated: 5/23/2026, 8:38:55 PM
Views: 40
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.