Reflected Cross-Site Scripting Vulnerability in Ultimate Member Plugin for WordPress
CVE-2026-1404
6.1MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 18 February 2026
What is CVE-2026-1404?
The Ultimate Member Plugin for WordPress is susceptible to reflected cross-site scripting (XSS) vulnerabilities owing to inadequate input sanitization and output escaping mechanisms. This vulnerability allows unauthenticated attackers to craft malicious web scripts that execute in the context of a user's session. By exploiting this flaw, attackers can potentially trick users into clicking on a malicious link, thereby injecting arbitrary scripts into the web pages visited. Affected users are urged to upgrade to address this critical security issue.
Affected Version(s)
Ultimate Member β User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 0 <= 2.11.1