CVE-2025-13217

Name of the Vulnerable Software and Affected Versions The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress versions prior to 2.11.1

Description The software is susceptible to a Stored Cross-Site Scripting issue. Insufficient input sanitization and output escaping on user-supplied YouTube video URLs allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts. These scripts execute when a user accesses the profile page of the user who injected the script. The issue is related to the YouTube Video 'value' field and the um profile field filter hook youtube video() function.

Recommendations Update The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress to version 2.11.1 or later.