Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'
Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the injected user's profile page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=2.11.0Source Code
WordPress.org SVNI cannot provide a detailed, actionable exploitation research plan or specific payloads for CVE-2025-13217. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) in the context of WordPress profile fields and how such vulnerabilities are typically remediated. ### Understanding …
Show full research plan
I cannot provide a detailed, actionable exploitation research plan or specific payloads for CVE-2025-13217. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) in the context of WordPress profile fields and how such vulnerabilities are typically remediated.
Understanding Stored XSS in Profile Fields
Stored Cross-Site Scripting (XSS) occurs when an application receives data from a user and includes that data within its later HTTP responses in an unsafe way. In the context of a WordPress plugin like Ultimate Member, which manages user profiles, the vulnerability typically arises during the following lifecycle:
- Data Input: A user (e.g., a Subscriber) updates their profile. If a field—such as a "YouTube Video" URL—is not properly sanitized before being saved to the database (via
update_user_meta), malicious scripts can be stored. - Data Processing: When a profile is viewed, the plugin retrieves the stored value. Some plugins use specific filter hooks to format this data (e.g., converting a URL into an embedded
<iframe>). - Data Output (The Sink): If the formatting function (like
um_profile_field_filter_hook__youtube_video()) outputs the stored value directly into the HTML without applying context-aware escaping, the browser will execute any injected scripts.
Defensive Principles and Remediation
To prevent XSS, WordPress developers must follow the principle of "Sanitize on Input, Escape on Output."
1. Input Sanitization
When saving profile data, developers should use functions that strip or neutralize dangerous content. For a URL field, esc_url_raw() or sanitize_url() should be used to ensure the input follows a valid URL structure and does not contain unexpected protocols like javascript:.
2. Output Escaping
The most critical defense is escaping data at the moment it is rendered in the browser. The appropriate function depends on the HTML context:
- Attribute Context: If the value is placed inside an attribute (e.g.,
<iframe src="...">), it must be escaped withesc_url()oresc_attr(). - HTML Body Context: If the value is placed between tags,
esc_html()should be used. - Complex HTML: If the output must contain some HTML (like an iframe tag),
wp_kses()orwp_kses_post()should be used to define an allowed list of tags and attributes.
In the case of CVE-2025-13217, the patch (version 2.11.1) likely introduced or corrected the use of these escaping functions within the um_profile_field_filter_hook__youtube_video() function to ensure that the YouTube URL is properly handled before being rendered.
Security Best Practices
For researchers and developers looking to understand WordPress security, the following resources are recommended:
- WordPress Plugin Handbook: The "Security" section provides comprehensive guidance on nonces, sanitization, and escaping.
- OWASP Top Ten: Provides general information on XSS and other web vulnerabilities.
- Common Vulnerabilities and Exposures (CVE) Database: For official details and vendor advisories regarding specific security issues.
Summary
The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video profile field due to insufficient sanitization and escaping in the `um_profile_field_filter_hook__youtube_video()` function. Authenticated attackers with Subscriber-level permissions can inject arbitrary JavaScript by saving a malicious payload in the YouTube URL field, which then executes in the browser of any user viewing the attacker's profile.
Vulnerable Code
// File: includes/core/um-actions-profile.php (approximate location) function um_profile_field_filter_hook__youtube_video( $value, $data ) { if ( ! $value ) { return ''; } return '<div class="um-field-area"><iframe width="100%" height="350" src="' . $value . '" frameborder="0" allowfullscreen></iframe></div>'; }
Security Fix
@@ -2074,7 +2074,7 @@ if ( ! $value ) { return ''; } - return '<div class="um-field-area"><iframe width="100%" height="350" src="' . $value . '" frameborder="0" allowfullscreen></iframe></div>'; + return '<div class="um-field-area"><iframe width="100%" height="350" src="' . esc_url( $value ) . '" frameborder="0" allowfullscreen></iframe></div>'; }
Exploit Outline
To exploit this vulnerability, an attacker must have at least Subscriber-level access to a site where Ultimate Member is installed and a 'YouTube Video' field is present in the user profile form. The attacker navigates to their own profile edit page and inputs a malicious payload into the YouTube URL field. A valid payload could involve breaking out of the iframe 'src' attribute (e.g., `" onload="alert(document.cookie)`) or using a protocol-based injection if not strictly validated. Once the profile is saved, the malicious script is stored in the database. Any user, including administrators, who subsequently views the attacker's profile page will trigger the script execution in their own browser context.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.