CVE-2025-13217
Unknown Unknown - Not Provided
Stored XSS in Ultimate Member YouTube Video Field Allows Script Injection

Publication date: 2025-12-17

Last updated on: 2025-12-17

Assigner: Wordfence

Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the injected user's profile page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13217
EUVD
EUVD-2025-203923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ultimate_member ultimate_member *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Ultimate Member WordPress plugin (versions up to and including 2.11.0). It occurs via the YouTube Video 'value' field due to insufficient input sanitization and output escaping in the function um_profile_field_filter_hook__youtube_video(). Authenticated users with Subscriber-level access or higher can inject arbitrary web scripts into user profile pages, which execute when other users view the infected profile.

Impact Analysis

This vulnerability allows attackers with Subscriber-level access or above to inject malicious scripts into user profile pages. When other users visit these profiles, the malicious scripts execute in their browsers, potentially leading to session hijacking, data theft, defacement, or other malicious actions. This compromises the security and integrity of the website and its users.

Mitigation Strategies

Update the Ultimate Member WordPress plugin to version 2.11.1 or later, as this update includes extensive code modifications likely addressing security issues including this vulnerability. [1]

Detection Guidance

To detect this vulnerability on your system, you should check if the Ultimate Member WordPress plugin is installed and if its version is up to and including 2.11.0, as these versions are vulnerable. You can do this by querying the plugin version via WordPress CLI or inspecting the plugin files. For example, using WP-CLI, run: `wp plugin get ultimate-member --field=version`. If the version is 2.11.0 or lower, the system is vulnerable. Additionally, you can scan user profile fields for suspicious YouTube video URLs containing injected scripts, but no specific commands for this are provided in the resources. Updating the plugin to version 2.11.1 or later is recommended to mitigate the issue. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13217. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart