Improper Sanitization in Ultimate Member WordPress Plugin Affects User Profiles
CVE-2026-11766
Currently unrated
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 6 July 2026
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2026-11766?
The Ultimate Member plugin for WordPress, prior to version 2.12.0, contains a flaw in how it handles the sanitization of custom textarea profile fields. This oversight permits authenticated users with Subscriber-level access and higher to inject malicious JavaScript code into their profiles. When any user, including administrators, views the compromised profile, the injected code is executed, potentially leading to various harmful outcomes.
Affected Version(s)
Ultimate Member 0 < 2.12.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.