CVE-2022-1208 in Ultimate Member Plugininfo

Summary

by MITRE • 06/13/2022

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and output escaping that allows users to encode malicious web scripts with HTML encoding that is reflected back on the page. This affects versions up to, and including, 2.3.2. Please note this issue was only partially fixed in version 2.3.2.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/08/2026

The Ultimate Member WordPress plugin represents a popular user management solution that enables website administrators to create custom user profiles and registration forms. This vulnerability affects versions up to and including 2.3.2, making it a critical concern for WordPress installations that rely on this plugin for user profile management. The flaw specifically targets the Biography field functionality that appears on individual user profile pages, creating a persistent security risk for all users of affected installations. The vulnerability exists within the plugin's handling of user input data, particularly in how it processes and displays information entered into the biography field.

The technical implementation of this stored cross-site scripting vulnerability stems from inadequate input sanitization mechanisms within the plugin's codebase. When users submit content to the Biography field, the plugin fails to properly validate or sanitize the input before storing it in the database. Additionally, the output escaping mechanisms that should protect against XSS attacks are insufficiently implemented, allowing malicious scripts to be stored and subsequently executed when other users view the profile pages. The vulnerability allows attackers to encode malicious web scripts using HTML encoding techniques that bypass the plugin's security measures, enabling the reflected malicious code to execute in the context of other users' browsers. This creates a persistent threat where malicious payloads remain active until the affected plugin is updated or the compromised user profile is manually modified.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. An attacker who successfully exploits this vulnerability can inject malicious JavaScript code that executes in the browser context of other users viewing the compromised profile pages. This could allow for cookie theft, which would enable session hijacking attacks against authenticated users. The stored nature of the vulnerability means that the malicious code persists even after the initial attack vector is closed, making it particularly dangerous as it can affect multiple users over extended periods. The partial fix implemented in version 2.3.2 suggests that while some measures were taken, the underlying sanitization and escaping mechanisms remain insufficient to fully prevent exploitation.

Organizations affected by this vulnerability should prioritize immediate remediation through plugin updates to versions that properly address the XSS flaws. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in software applications. From an ATT&CK framework perspective, this vulnerability maps to technique T1566.001 which involves the use of malicious content delivery through web applications, and potentially T1071.001 which covers application layer protocol usage for command and control communications. The security implications extend to the principle of least privilege as compromised user profiles could provide attackers with access to sensitive user information. Organizations should also consider implementing additional monitoring for suspicious profile modifications and user-generated content to detect potential exploitation attempts. The vulnerability demonstrates the importance of proper input validation and output escaping in web applications, particularly when handling user-submitted content that will be displayed to other users.

Responsible

Wordfence

Reservation

04/01/2022

Disclosure

06/13/2022

Moderation

accepted

CPE

ready

EPSS

0.00872

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!