CVE-2024-2123 in Ultimate Member Plugin
Summary
by MITRE • 03/13/2024
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The Ultimate Member WordPress plugin represents a comprehensive solution for user management including profile creation, registration processes, member directories, and content restriction capabilities. This plugin serves as a critical component for many websites seeking to implement robust user authentication and membership systems. The vulnerability identified in versions up to and including 2.8.3 exposes a fundamental security weakness that affects the plugin's handling of user input across multiple parameters. The issue manifests as a stored cross-site scripting vulnerability that can be exploited by unauthenticated attackers to inject malicious scripts into the plugin's data handling processes.
The technical flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase. When users submit data through various form parameters or API endpoints, the plugin fails to properly validate and sanitize the incoming information before storing it in the database. Additionally, the output escaping mechanisms that should protect against XSS attacks are either absent or insufficiently implemented. This combination creates an environment where malicious scripts can be stored persistently within the plugin's database records and executed whenever legitimate users access pages containing the compromised data.
The operational impact of this vulnerability extends beyond simple script execution as it creates a persistent threat vector that can affect any user interacting with compromised pages. Attackers can craft malicious payloads that will execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further exploitation of the compromised systems. The stored nature of this vulnerability means that once injected, malicious scripts remain active until manually removed, creating a long-term threat that can affect multiple users over extended periods. This vulnerability particularly affects sites using the Ultimate Member plugin for member directories where user-generated content is displayed, making it a prime target for attackers seeking to compromise user sessions.
The vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws resulting from insufficient input validation and output escaping. From an ATT&CK framework perspective, this vulnerability maps to T1566.001 - Phishing and T1071.001 - Application Layer Protocol: Web Protocols, as it enables attackers to craft malicious web content that can be delivered to unsuspecting users. The unauthenticated nature of the attack means that no prior access or credentials are required to exploit this vulnerability, making it particularly dangerous for widely-used plugins like Ultimate Member. Organizations should immediately implement mitigation strategies including plugin updates, input validation enhancements, and monitoring for suspicious user activity. The recommended approach involves updating to the latest plugin version where the vulnerability has been patched, implementing additional security layers such as web application firewalls, and conducting thorough security audits of user input handling processes.