CVE-2026-1404
Reflected XSS in Ultimate Member Plugin Allows Script Injection
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ultimate_member | ultimate_member | to 2.11.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Ultimate Member WordPress plugin (versions up to and including 2.11.1) is a Reflected Cross-Site Scripting (XSS) issue. It occurs via the filter parameters, such as 'filter_first_name', due to insufficient input sanitization and output escaping.
This means that an unauthenticated attacker can inject arbitrary web scripts into pages by crafting malicious URLs or inputs that include these filter parameters. If a user is tricked into clicking such a link, the injected scripts can execute in their browser.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of the affected website when a user interacts with crafted links or inputs. Potential impacts include theft of user session data, redirection to malicious sites, defacement, or unauthorized actions performed on behalf of the user.
Since the vulnerability is exploitable by unauthenticated attackers and requires user interaction (such as clicking a link), it poses a risk to both site administrators and users by compromising the integrity and security of user sessions and data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves Reflected Cross-Site Scripting (XSS) via filter parameters such as 'filter_first_name' in the Ultimate Member WordPress plugin up to version 2.11.1. Detection involves checking if these parameters are being used in URLs and if they are properly sanitized."}, {'type': 'paragraph', 'content': "To detect potential exploitation attempts on your system or network, you can monitor HTTP requests for suspicious or unexpected script code in URL parameters related to filtering, especially parameters like 'filter_first_name'."}, {'type': 'list_item', 'content': "Use web server logs or network monitoring tools to search for requests containing suspicious script tags or encoded JavaScript in filter parameters, for example by searching for '<script>' or '%3Cscript%3E' in query strings."}, {'type': 'list_item', 'content': "Example command using grep on web server logs to find suspicious filter parameters: grep -i 'filter_first_name=.*<script' access.log"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the plugin manually by sending crafted URLs with script payloads in filter parameters and observe if the payload is reflected unsanitized in the response.'}] [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the Ultimate Member WordPress plugin to version 2.11.2 or later, as this version includes fixes addressing the CVE-2026-1404 vulnerability.
If updating immediately is not possible, consider temporarily disabling the affected plugin or restricting access to the members directory pages that use the vulnerable filter parameters.
Additionally, implement Web Application Firewall (WAF) rules to block or sanitize requests containing suspicious script payloads in filter parameters.
Review and apply security best practices such as input sanitization and output escaping in custom code or themes that interact with the plugin.