Ultimate Member – User Profile & Membership Plugin STORED XSS

Published at October 6, 2018 – 1 min read

XSS Ultimate Member

Ultimate member

Ultimate Member is one of the many user profile & membership plugins for WordPress. The plugin makes it a breeze for users to sign-up and become members of your website. The plugin allows you to add user profiles to your site and is suitable for creating advanced online communities and membership sites. Lightweight and highly extendible, Ultimate Member will enable you to create almost any type of site where users can join and become members with absolute ease.


Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the “Ultimate Member - User Profile & Membership” plugin through 2.0.27 for WordPress allow remote attackers to inject arbitrary web script or HTML via the “Primary button Text” or “Second button text” field.

Vulnerability Type

  • Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79)

Proof of Concept


  • 2018-10-01 Found issue and asked for a CVE
  • 2018-10-02 Contacted support team of Ultimate Member
  • 2018-10-05 Issues resolved and version 2.0.28 released
  • 2018-10-06 Article released
Last update at April 12, 2021


I am a security researcher, a writer, and contributor to the Monero project, a cryptocurrency focused on preserving privacy for transactions data. My publication Mastering Monero has became one of the best rated resources to learn about Monero. More about me

Follow me on Twitter or send me an email. I also appreciate donations, they allow me to continue doing my work and writing.

Mastering Monero book