CVE-2026-11766
Received Received - Intake

Unauthenticated Stored XSS in Ultimate Member WordPress Plugin

Vulnerability report for CVE-2026-11766, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: WPScan

Description

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultimate_member ultimate_member to 2.12.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should update the Ultimate Member WordPress plugin to version 2.12.0 or later, where the issue has been fixed.

Additionally, restrict the ability to add or edit custom textarea profile fields to trusted users only, and consider reviewing user profiles for suspicious JavaScript code injections.

Executive Summary

The vulnerability CVE-2026-11766 affects the Ultimate Member WordPress plugin versions prior to 2.12.0. It is a stored Cross-Site Scripting (XSS) issue where custom textarea profile fields are not properly sanitized or escaped before being displayed on user profiles.

This flaw allows authenticated users with Subscriber-level access or higher to inject malicious JavaScript code into these profile fields. When any user, including administrators, views the affected profile, the injected JavaScript executes.

Impact Analysis

This vulnerability can lead to unauthorized execution of malicious JavaScript code within the context of the affected website.

  • Attackers with Subscriber-level access can inject scripts that run when profiles are viewed.
  • Malicious scripts could steal sensitive information, hijack user sessions, or perform actions on behalf of users, including administrators.
  • It poses a high security risk, potentially compromising the integrity and confidentiality of the website and its users.
Compliance Impact

The vulnerability allows authenticated users to inject and execute malicious JavaScript code on user profiles, which can lead to unauthorized access or manipulation of user data.

Such a security flaw can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and prevention of unauthorized access or data breaches.

Specifically, stored Cross-Site Scripting (XSS) vulnerabilities can be exploited to steal sensitive information, perform actions on behalf of users, or compromise administrative accounts, all of which violate data protection and privacy requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart