The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Skype and Spotify URL parameters in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Ultimatemember |
|
No data.
References
History
Fri, 10 Apr 2026 04:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Apr 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Ultimate Member <= 2.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting | |
| Metrics |
cvssV3_1
|
cvssV3_1
|
Thu, 27 Feb 2025 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Ultimatemember
Ultimatemember ultimate Member |
|
| Weaknesses | CWE-79 | |
| CPEs | cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:* | |
| Vendors & Products |
Ultimatemember
Ultimatemember ultimate Member |
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-05-02T16:52:21.806Z
Updated: 2026-04-08T17:04:55.320Z
Reserved: 2024-03-21T15:26:03.320Z
Link: CVE-2024-2765
Vulnrichment
Updated: 2024-08-01T19:25:41.464Z
NVD
Status : Modified
Published: 2024-05-02T17:15:19.280
Modified: 2026-04-08T18:21:11.370
Link: CVE-2024-2765
Redhat
No data.