Login Sign Up

CVE-2025-13220

6.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious JavaScript into pages using the Ultimate Member plugin's shortcodes. The injected scripts execute whenever other users view those pages, enabling persistent cross-site scripting attacks. All WordPress sites using Ultimate Member plugin versions up to 2.11.0 are affected.

💻 Affected Systems

Products:
  • Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress
Versions: All versions up to and including 2.11.0
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Ultimate Member plugin and at least one user with Contributor role or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, hijack user sessions, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise and data theft.

🟠

Likely Case

Attackers with contributor access inject malicious scripts to steal user session cookies, perform actions on behalf of users, or display phishing content to visitors.

🟢

If Mitigated

With proper input validation and output escaping, the attack would fail to execute scripts, limiting impact to harmless HTML display issues.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has Contributor-level credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.1 or later

Vendor Advisory: https://wordpress.org/plugins/ultimate-member/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ultimate Member plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.11.1+ from WordPress.org and manually replace plugin files.

🔧 Temporary Workarounds

Remove Contributor Role Access

all

Temporarily restrict Contributor-level users from creating or editing posts until patched.

Disable Ultimate Member Plugin

linux

Deactivate the plugin if not essential for site functionality.

wp plugin deactivate ultimate-member

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block XSS payloads in shortcode parameters
  • Regularly audit user accounts and remove unnecessary Contributor-level access

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → Ultimate Member version. If version is 2.11.0 or lower, you are vulnerable.

Check Version:

wp plugin get ultimate-member --field=version

Verify Fix Applied:

After updating, verify Ultimate Member plugin version is 2.11.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual shortcode modifications in post/page edits
  • Multiple failed login attempts followed by successful Contributor-level login

Network Indicators:

  • JavaScript payloads in HTTP POST parameters to WordPress admin-ajax.php or similar endpoints

SIEM Query:

source="wordpress.log" AND ("shortcode" AND ("script" OR "onclick" OR "javascript:"))

📊 Metadata

CVE ID: CVE-2025-13220
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.06% exploit probability (17th percentile)
Published: December 21, 2025
Last Updated: December 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13220, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)