WP eMember < 10.6.7 - Unauthenticated Stored XSS via Member Registration
Description
The wp-eMember plugin before 10.6.7 has unauthenticated stored XSS via unsanitized member registration fields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The wp-eMember plugin before 10.6.7 has unauthenticated stored XSS via unsanitized member registration fields.
Vulnerability
The wp-eMember WordPress plugin versions before 10.6.7 fail to sanitize and escape certain fields during member registration, allowing unauthenticated attackers to inject arbitrary web scripts. Specifically, the registration form fields are not properly cleaned before being stored, which leads to Stored Cross-Site Scripting (XSS) vulnerabilities. The fixed version is 10.6.7 [1].
Exploitation
An unauthenticated attacker can exploit this by submitting a registration request with malicious JavaScript payloads in the unsanitized fields. The payload is then stored on the server and executed in the browsers of administrators or visitors who view the affected member data. No authentication or special privileges are required to trigger the vulnerability [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of cookies, session tokens, or other sensitive information, and potentially allow actions on behalf of the authenticated user, such as creating new admin accounts or modifying plugin settings. The CVSS score is 8.8 (high) [1].
Mitigation
Update the plugin to version 10.6.7 or later, which fixes the vulnerability. The fix was included in version 10.6.7, released prior to the public disclosure [1]. No workarounds are documented; users are strongly advised to apply the update.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping on member registration fields allows stored cross-site scripting."
Attack vector
An unauthenticated attacker submits a crafted registration request containing malicious JavaScript in one or more profile fields that the plugin does not sanitize or escape [CWE-79] [ref_id=1]. When the stored payload is later rendered on a page viewed by other users (e.g., an admin viewing member listings), the script executes in their browser session. The attack requires no authentication and no special privileges [ref_id=1].
Affected code
The advisory does not specify exact files or functions. The wp-eMember plugin's member registration form fields are the vulnerable input points, as the plugin fails to sanitize and escape user-supplied data during registration [ref_id=1].
What the fix does
The advisory states the fix was released in version 10.6.7 but does not include a patch diff [ref_id=1]. The remediation involves properly sanitizing and escaping the registration form fields so that attacker-supplied HTML/JavaScript is neutralized before storage and output. Users should update to wp-eMember 10.6.7 or later [ref_id=1].
Preconditions
- configThe wp-eMember plugin must be installed and active with member registration enabled.
- networkThe attacker must be able to reach the public registration form (no authentication required).
- inputThe attacker submits a registration payload containing JavaScript in an unsanitized field.
Reproduction
The WPScan advisory includes a proof-of-concept reference but does not publish explicit reproduction steps [ref_id=1]. No standalone PoC script is provided in the bundle.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/bdb5509e-80ab-4e47-83a4-9347796eec40/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.