CVE-2021-24306

Name of the Vulnerable Software and Affected Versions The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin versions prior to 2.1.20

Description The issue is related to an authenticated reflected Cross-Site Scripting problem. It occurs because the plugin does not properly sanitise, validate, or encode the query string when generating a link to edit a user's own profile. To exploit this, an attacker needs knowledge of the targeted username and must then trick the related logged-in user into opening a malicious link.

Recommendations For versions prior to 2.1.20, update to version 2.1.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the user profile editing feature until the update is applied. Avoid using malicious links that could exploit the Cross-Site Scripting issue in the affected plugin.