CVE-2025-15064

Name of the Vulnerable Software and Affected Versions The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin versions prior to 2.11.2

Description The Ultimate Member plugin for WordPress is susceptible to Stored Cross-Site Scripting through the user description field. Insufficient input sanitization and output escaping allow authenticated attackers with subscriber-level access or higher to inject arbitrary web scripts into pages. This is exploitable when 'HTML support for user description' is enabled in the plugin settings.

Recommendations Update The Ultimate Member plugin to version 2.11.2 or later.