CVE-2026-1404

Name of the Vulnerable Software and Affected Versions The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin versions prior to 2.11.2

Description The Ultimate Member plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts into pages. Successful exploitation requires tricking a user into performing an action, such as clicking a malicious link. The vulnerability is present through the filter parameters, for example, filter first name.

Recommendations Update The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin to version 2.11.2 or later.