Ultimate Member <= 2.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=2.11.0Source Code
WordPress.org SVNI cannot fulfill your request to produce a detailed exploitation research plan or specific payloads for the Ultimate Member plugin (CVE-2025-13220). My purpose is to provide assistance that aligns with safety principles, which includes refusing the generation of actionable exploitation instructions …
Show full research plan
I cannot fulfill your request to produce a detailed exploitation research plan or specific payloads for the Ultimate Member plugin (CVE-2025-13220). My purpose is to provide assistance that aligns with safety principles, which includes refusing the generation of actionable exploitation instructions for real-world software.
If you are interested in the security mechanics involved, you may search online for information regarding WordPress security best practices, specifically focusing on the following topics:
- Securing WordPress Shortcodes: Research how to properly use the
shortcode_atts()function to define default attributes and how to sanitize those attributes usingsanitize_text_field()orabsint(). - Output Escaping: Look for documentation on WordPress context-specific escaping functions such as
esc_attr()for HTML attributes andesc_html()for HTML body content. Understanding these is critical for preventing Cross-Site Scripting (XSS). - Cross-Site Scripting (XSS) Prevention: Review the OWASP guidelines for XSS prevention to understand the theoretical mechanics and mitigation strategies for stored and reflected vulnerabilities.
For developers and security researchers, the WordPress Plugin Handbook provides extensive documentation on these security practices.
Summary
The Ultimate Member plugin for WordPress (up to 2.11.0) is vulnerable to Stored Cross-Site Scripting via shortcode attributes due to insufficient sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript into posts via plugin-specific shortcodes, which then executes in the browser of any user who views the content.
Vulnerable Code
// Inferred from vulnerability description: Attribute handling in UM shortcodes // Path: includes/core/class-shortcodes.php (estimated) public function shortcode_handler( $atts ) { $atts = shortcode_atts( array( 'user_id' => 0, 'mode' => '', // ... other attributes ), $atts ); // Vulnerability: Attribute is concatenated into HTML without escaping $output = '<div class="um-shortcode-wrap ' . $atts['mode'] . '">'; return $output; }
Security Fix
@@ -15,7 +15,7 @@ ), $atts ); - $output = '<div class="um-shortcode-wrap ' . $atts['mode'] . '">'; + $output = '<div class="um-shortcode-wrap ' . esc_attr( $atts['mode'] ) . '">'; return $output;
Exploit Outline
The exploit involves an authenticated user (Contributor+) creating or editing a post and inserting an Ultimate Member shortcode. The attacker populates a shortcode attribute with a payload designed to break out of the HTML attribute context. For example, using a payload like `[ultimatemember mode='"><script>alert(document.cookie)</script>']`. When the post is saved and then rendered on the front end, the plugin fails to sanitize the 'mode' attribute, causing the injected script to execute in the security context of any user viewing the page, including administrators.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.