WP eMember < 10.6.6 - Reflected XSS
Description
Reflected XSS in wp-eMember plugin before 10.6.6 allows attackers to inject scripts, potentially compromising high-privilege users like admins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in wp-eMember plugin before 10.6.6 allows attackers to inject scripts, potentially compromising high-privilege users like admins.
Vulnerability
The wp-eMember plugin for WordPress versions before 10.6.6 fails to sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability [1].
Exploitation
An attacker can craft a malicious URL containing the unsanitized parameter and entice a high-privilege user, such as an admin, to click it. The injected script executes in the context of the victim's browser, allowing the attacker to perform actions on behalf of the victim [1].
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the admin's browser, potentially leading to session hijacking, defacement, or further compromise of the WordPress site [1].
Mitigation
Update to version 10.6.6 or later, which fixes the issue [1]. No known workarounds are available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: <10.6.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/174a2ba8-0215-480f-93ec-83ebc4a3200e/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.