The Ultimate Member WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) in the user description field. This occurs because the plugin does not properly sanitize or escape HTML input when the "HTML support for user description" setting is enabled. Authenticated users with at least subscriber privileges can inject arbitrary scripts that persist and execute in the context of other users viewing the injected content. The vulnerability affects all versions up to 2.11.1. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and impacts on confidentiality and integrity with no availability impact. There is no vendor advisory or patch available at this time, and no known active exploitation has been reported.

Successful exploitation allows an authenticated user with subscriber-level access or higher to inject persistent malicious scripts into user description fields. These scripts execute in the browsers of users who view the affected pages, potentially leading to information disclosure or integrity violations within the affected WordPress site. The vulnerability does not impact availability. The medium CVSS score reflects moderate risk due to the requirement for authenticated access and specific plugin settings.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should consider disabling the "HTML support for user description" setting in Ultimate Member to prevent exploitation. Additionally, restricting user roles that can edit user descriptions or applying manual input sanitization workarounds may reduce risk.