Developer - Security engineer[email protected]
Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin through 2.0.27 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field.
2018-10-01 Found issue and asked for a CVE
2018-10-02 Contacted support team of Ultimate Member
2018-10-05 Issues resolved and version 2.0.28 released
2018-10-06 Article released