WP eMember < 10.6.6 - Reflected XSS
Description
Reflected XSS in wp-eMember plugin before 10.6.6 allows high-privilege users to be targeted, leading to arbitrary script execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in wp-eMember plugin before 10.6.6 allows high-privilege users to be targeted, leading to arbitrary script execution.
Vulnerability
The wp-eMember WordPress plugin versions before 10.6.6 do not sanitize and escape a parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting (XSS) vulnerability [1]. This affects any page that outputs the unsanitized parameter.
Exploitation
An attacker needs to trick a high-privilege user, such as an admin, into clicking a crafted link containing a malicious payload. The parameter is reflected without proper escaping, causing the malicious JavaScript to execute in the victim's browser [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, admin account takeover, or other malicious actions [1].
Mitigation
Update to version 10.6.6 or later, where the vulnerability is fixed. No other workarounds are documented [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: <10.6.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/b47d93d6-5511-451a-853f-c8b0fba20969/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.