CVE-2025-13217

Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.11.1
Patched in
2d
Time to patch

Description

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the injected user's profile page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.11.0
PublishedDecember 16, 2025
Last updatedDecember 17, 2025
Affected pluginultimate-member

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed, actionable exploitation research plan or specific payloads for CVE-2025-13217. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) in the context of WordPress profile fields and how such vulnerabilities are typically remediated. ### Understanding …

Show full research plan

I cannot provide a detailed, actionable exploitation research plan or specific payloads for CVE-2025-13217. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) in the context of WordPress profile fields and how such vulnerabilities are typically remediated.

Understanding Stored XSS in Profile Fields

Stored Cross-Site Scripting (XSS) occurs when an application receives data from a user and includes that data within its later HTTP responses in an unsafe way. In the context of a WordPress plugin like Ultimate Member, which manages user profiles, the vulnerability typically arises during the following lifecycle:

  1. Data Input: A user (e.g., a Subscriber) updates their profile. If a field—such as a "YouTube Video" URL—is not properly sanitized before being saved to the database (via update_user_meta), malicious scripts can be stored.
  2. Data Processing: When a profile is viewed, the plugin retrieves the stored value. Some plugins use specific filter hooks to format this data (e.g., converting a URL into an embedded <iframe>).
  3. Data Output (The Sink): If the formatting function (like um_profile_field_filter_hook__youtube_video()) outputs the stored value directly into the HTML without applying context-aware escaping, the browser will execute any injected scripts.

Defensive Principles and Remediation

To prevent XSS, WordPress developers must follow the principle of "Sanitize on Input, Escape on Output."

1. Input Sanitization

When saving profile data, developers should use functions that strip or neutralize dangerous content. For a URL field, esc_url_raw() or sanitize_url() should be used to ensure the input follows a valid URL structure and does not contain unexpected protocols like javascript:.

2. Output Escaping

The most critical defense is escaping data at the moment it is rendered in the browser. The appropriate function depends on the HTML context:

  • Attribute Context: If the value is placed inside an attribute (e.g., <iframe src="...">), it must be escaped with esc_url() or esc_attr().
  • HTML Body Context: If the value is placed between tags, esc_html() should be used.
  • Complex HTML: If the output must contain some HTML (like an iframe tag), wp_kses() or wp_kses_post() should be used to define an allowed list of tags and attributes.

In the case of CVE-2025-13217, the patch (version 2.11.1) likely introduced or corrected the use of these escaping functions within the um_profile_field_filter_hook__youtube_video() function to ensure that the YouTube URL is properly handled before being rendered.

Security Best Practices

For researchers and developers looking to understand WordPress security, the following resources are recommended:

  • WordPress Plugin Handbook: The "Security" section provides comprehensive guidance on nonces, sanitization, and escaping.
  • OWASP Top Ten: Provides general information on XSS and other web vulnerabilities.
  • Common Vulnerabilities and Exposures (CVE) Database: For official details and vendor advisories regarding specific security issues.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video profile field due to insufficient sanitization and escaping in the `um_profile_field_filter_hook__youtube_video()` function. Authenticated attackers with Subscriber-level permissions can inject arbitrary JavaScript by saving a malicious payload in the YouTube URL field, which then executes in the browser of any user viewing the attacker's profile.

Vulnerable Code

// File: includes/core/um-actions-profile.php (approximate location)

function um_profile_field_filter_hook__youtube_video( $value, $data ) {
	if ( ! $value ) {
		return '';
	}

	return '<div class="um-field-area"><iframe width="100%" height="350" src="' . $value . '" frameborder="0" allowfullscreen></iframe></div>';
}

Security Fix

--- a/includes/core/um-actions-profile.php
+++ b/includes/core/um-actions-profile.php
@@ -2074,7 +2074,7 @@
 	if ( ! $value ) {
 		return '';
 	}
-	return '<div class="um-field-area"><iframe width="100%" height="350" src="' . $value . '" frameborder="0" allowfullscreen></iframe></div>';
+	return '<div class="um-field-area"><iframe width="100%" height="350" src="' . esc_url( $value ) . '" frameborder="0" allowfullscreen></iframe></div>';
 }

Exploit Outline

To exploit this vulnerability, an attacker must have at least Subscriber-level access to a site where Ultimate Member is installed and a 'YouTube Video' field is present in the user profile form. The attacker navigates to their own profile edit page and inputs a malicious payload into the YouTube URL field. A valid payload could involve breaking out of the iframe 'src' attribute (e.g., `" onload="alert(document.cookie)`) or using a protocol-based injection if not strictly validated. Once the profile is saved, the malicious script is stored in the database. Any user, including administrators, who subsequently views the attacker's profile page will trigger the script execution in their own browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.