WordPress Plugin Vulnerabilities

Ultimate Member < 2.4.0 - Subscriber+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape the Biography available on user profile pages, which could allow users to perform Cross-Site Scripting attacks via their profile

Affects Plugins

Plugin icon
ultimate-member
Fixed in 2.4.0

References

CVE
CVE-2022-1208

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Ruijie Li
Verified
Yes
WPVDB ID
f905d6e9-1901-4ff8-9960-6d765af78bd6

Timeline

Publicly Published
2022-06-02 (about 3 years ago)
Added
2022-06-02 (about 3 years ago)
Last Updated
2023-03-06 (about 2 years ago)

Other

Published
Title
Published
2024-11-08
Title
Surbma | Font Awesome < 3.1 - Contributor+ Stored XSS
Published
2024-02-21
Title
Widget for Social Page Feeds < 6.4 - Admin+ Stored XSS
Published
2025-09-29
Title
Any News Ticker <= 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-04-06
Title
IMPress Listings <= 2.6.2 - Contributor+ Stored XSS
Published
2024-05-28
Title
Expert Invoice <= 1.0.2 -Admin+ Stored XSS