Security Alert Summary
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the handling of YouTube video URLs. Authenticated users with Subscriber-level access and above can supply specially crafted input that is not properly sanitized or escaped, allowing scripts to be stored and executed when other users view the affected profile pages.
CVE Details
- CVE ID: CVE-2025-13217
- Affected plugin / component: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress
- Affected versions: All versions up to, and including, 2.11.0
- Published: December 17, 2025 at 7:16 PM UTC
- Last modified: December 18, 2025 at 3:07 PM UTC
- CVSS v3.1: Base Score 6.4 — MEDIUM
- Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low (authenticated user)
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
- Vector:
- Authentication / Privileges: Authenticated attacker with Subscriber-level access and above (as stated in the CVE description)
- CWE / Weakness: CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue caused by insufficient input sanitization and output escaping for user-supplied YouTube video URLs. The CVE description identifies the problematic function as um_profile_field_filter_hook__youtube_video(), which processes the YouTube “value” field. Because user-supplied data is not properly sanitized on input or escaped on output, an authenticated user with Subscriber-level access can store HTML or script content that will be rendered in profile pages.
When another user (or the same user) loads an affected profile page, the stored script can execute in the context of the site, leading to impacts described by the CVSS metrics (confidentiality and integrity impact classified as low). The issue is limited to stored XSS via the YouTube video field and does not, in the CVE entry, indicate any direct impact to availability.
How This Could Impact Your Website
Consider a typical small business WordPress site using Ultimate Member with multiple user roles: a site owner/admin, internal staff editors, and external contributors or contractors. If an authenticated contributor or contractor with Subscriber-level access adds a malicious payload into their YouTube profile field, that payload could be stored and executed when staff or other users view the contributor’s profile page.
- Exposure of limited confidential data: an attacker could execute scripts that read information visible on the profile page or interact with the victim’s session within the privileges available to that browser context (CVSS confidentiality impact: Low).
- Integrity risks: scripts may modify displayed content or perform actions available to the viewing user in their session, altering data or UI elements (CVSS integrity impact: Low).
- Phishing and social engineering: visible or hidden changes could be used to capture additional user input (for example, prompting users to enter credentials or personal information), increasing the risk of targeted phishing.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE notes versions up to 2.11.0 are affected; a fixed version is not specified in the CVE entry.)
- Review and reduce unnecessary user roles and capabilities, especially for contributor/subscriber-level accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and fields that accept user-supplied HTML or URLs where possible.
- Monitor site activity and logs for unusual behavior, especially actions involving profile fields and uploaded content.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
