Security Alert Summary
The Ultimate Member plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the user description field. Authenticated users with subscriber-level access and above can inject scripts that execute when an injected page is viewed. The issue is tied to insufficient input sanitization and output escaping and is only exploitable when the plugin setting “HTML support for user description” is enabled.
CVE Details
- CVE ID: CVE-2025-15064
- Affected component: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
- Affected versions: All versions up to, and including, 2.11.1
- Published: April 4, 2026, 8:16 AM (UTC)
- Last modified: April 4, 2026, 8:16 AM (UTC)
- CVSS v3.1: Base score 6.4, MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / Privileges / User interaction: Requires authentication; attackers with subscriber-level access and above can exploit. Privileges required: Low. User interaction: None.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- Weakness: CWE-79 (Cross-site Scripting)
Technical Details
This vulnerability is a stored cross-site scripting (XSS) issue stemming from insufficient input sanitization and missing output escaping for the user description field. When the plugin option “HTML support for user description” is enabled, content entered into the user description field can include HTML or script elements that are not properly sanitized.
An authenticated user with subscriber-level access or higher can store crafted HTML/script payloads in their profile description. Those payloads are persisted and will execute in the context of any visitor that loads the page rendering the injected description. The description and the plugin setting are named in the report; no other specific functions or REST endpoints are listed in the provided data.
The practical impact is the execution of arbitrary client-side scripts in the browser of viewers of injected pages. This can be used to perform actions available to the viewer’s browser context, such as cookie theft, session token exposure, or UI redress for social engineering, subject to the low confidentiality and integrity impact noted in the CVSS vector.
How This Could Impact Your Website
Consider a typical WordPress site with the site owner, internal staff (editors or administrators), and external contributors or subscribers. If an authenticated subscriber injects a script into their profile description and the site displays that description on public pages or member directories, other users who view those pages may have scripts run in their browsers. For example:
- An external contributor could embed a script that captures browser-session details from other logged-in users who view the contributor’s profile.
- Internal staff who review member profiles or public directories might have their session data or other client-side information exposed, increasing the risk of targeted phishing or account takeover attempts against higher-privilege users.
- Exposed email addresses or session-related data could enable attackers to craft convincing social engineering messages against site staff.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and subscriber-level accounts that do not require profile editing privileges.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and review plugin settings such as HTML support for user-generated fields.
- Monitor site activity and logs for unusual behavior, including unexpected profile updates or injected content.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
