Cross-site Scripting Vulnerability in Tips and Tricks HQ WP eMember Plugin
CVE-2026-28073

7.1HIGH

Key Information:

Vendor: WordPress
Status: WP Emember
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-28073?

A Cross-site Scripting (XSS) vulnerability has been identified in the Tips and Tricks HQ WP eMember plugin, allowing attackers to inject malicious scripts into web pages. This can lead to reflected XSS attacks, where user input is improperly handled, allowing the execution of unauthorized scripts in the context of other users' browsers. The vulnerability affects all versions of WP eMember up to 10.2.2, emphasizing the need for immediate attention and remediation to ensure user safety and application security.

Affected Version(s)

WP eMember <= n/a

References

https://patchstack.com/database/wordpress/plugin/wp-ememb...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Feb 25, 2026

Credit

Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program

CVE-2026-28073 Data

JSON