Ultimate Member < 2.12.0 - Subscriber+ Stored XSS via Custom Textarea Profile Fields
Summary
| CVE | CVE-2026-11766 |
|---|---|
| State | PUBLISHED |
| Assigner | WPScan |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-06 08:16:35 UTC |
| Updated | 2026-07-06 18:37:01 UTC |
| Description | The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile. |
Risk And Classification
Primary CVSS: v3.1 8 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.002470000 probability, percentile 0.158090000 (date 2026-07-08)
Problem Types: CWE-79 Cross-Site Scripting (XSS)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Unknown | Ultimate Member | affected 2.12.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| wpscan.com/vulnerability/96adb2d3-af34-4455-97d4-90af58049e78 | [email protected] | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Meher Sudhakar Abbireddi (en)
CNA: WPScan (en)
There are currently no legacy QID mappings associated with this CVE.