CVE-2018-10234

Name of the Vulnerable Software and Affected Versions: User Profile & Membership plugin versions prior to 2.0.11

Description: An issue exists in the User Profile & Membership plugin for WordPress, where authenticated cross-site scripting is possible. This is due to a vulnerability in the Account Deletion Custom Text input field, which is accessible on the wp-admin/admin.php?page=um options&section=account page.

Recommendations: For versions prior to 2.0.11, update to version 2.0.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-admin/admin.php?page=um options&section=account page until the update is applied. Avoid using the Account Deletion Custom Text input field in the affected plugin until the issue is resolved.