anonhaven
Ad

CVE-2025-15064

MEDIUM CVSS 3.1: 6.4 EPSS 0.01%
Updated Apr 07, 2026
WordPress
Parameter Value
CVSS 6.4 (MEDIUM)
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor WordPress
Public PoC No

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when "HTML support for user description" is enabled in Ultimate Member settings.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products

ultimatemember:ultimate member – user profile, registration, login, member directory, content restriction & membership plugin

References 2

https://github.com/ultimatemember/ultimatemember/pull/1774
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2a7f070a-b67c-4e65-a9…
security@wordfence.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-6439

WordPress

4.4

CVE-2026-6451

WordPress

4.3

CVE-2026-40308

WordPress

8.8

CVE-2026-3830

Unknown

None

CVE-2026-5809

WordPress

7.1