WP eMember < 10.3.9 - Reflected XSS
Description
The wp-eMember plugin before 10.3.9 fails to sanitize and escape the 'fieldId' parameter, allowing reflected XSS attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The wp-eMember plugin before 10.3.9 fails to sanitize and escape the 'fieldId' parameter, allowing reflected XSS attacks.
Vulnerability
The wp-eMember WordPress plugin versions prior to 10.3.9 do not properly sanitize and escape the fieldId parameter before outputting it back in the page. This lack of input validation and output escaping leads to a Reflected Cross-Site Scripting (XSS) vulnerability [CWE-79] [1]. The affected plugin is wp-eMember, and the flaw exists in the handling of the fieldId parameter in certain pages.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in the fieldId parameter. The attacker does not require authentication and can lure a victim into clicking the specially crafted link. When the victim, who has a valid session or is browsing the site, clicks the link, the injected script executes in their browser context [1]. No special network position or user interaction beyond clicking the link is needed.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to information disclosure (e.g., stealing session cookies, tokens, or other sensitive data), defacement, or redirection to malicious sites. The CVSS score is 7.1 (High) [1], indicating significant potential impact on confidentiality, integrity, and availability of the affected WordPress instance, though the scope remains with the user's session.
Mitigation
The vulnerability is fixed in version 10.3.9 of the wp-eMember plugin [1]. Users should update to the latest patched version immediately. No workarounds are documented in the available references. The vulnerability is verified and publicly disclosed [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- WordPress/wp-eMemberdescription
- Range: <10.3.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping of the "fieldId" parameter allows reflected cross-site scripting."
Attack vector
An attacker can craft a malicious URL containing a JavaScript payload in the "fieldId" parameter. When a victim visits this crafted URL, the plugin outputs the unsanitized parameter directly into the page, causing the attacker's script to execute in the victim's browser [ref_id=1]. This is a reflected cross-site scripting (XSS) attack [CWE-79] that requires user interaction (clicking the malicious link).
Affected code
The wp-eMember plugin fails to sanitize and escape the "fieldId" parameter before outputting it back in the page [ref_id=1]. The advisory does not specify the exact file or function where the vulnerable parameter is processed.
What the fix does
The advisory states the vulnerability is fixed in version 10.3.9 of the wp-eMember plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably involves properly sanitizing and escaping the "fieldId" parameter before outputting it in the page response, preventing script injection.
Preconditions
- configThe wp-eMember plugin must be installed and active on a WordPress site
- authThe victim must be logged into or browsing the WordPress site
- inputThe victim must click a crafted link containing the XSS payload
Reproduction
The advisory at [ref_id=1] states a proof of concept exists but does not include the specific reproduction steps in the extracted text. No other PoC details are provided in the bundle.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/6cc05a33-6592-4d35-8e66-9b6a9884df7e/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.