WP eMember < 10.6.7 - Reflected XSS
Description
The wp-eMember plugin before 10.6.7 has a reflected XSS vulnerability due to unsanitized output of REQUEST_URI, affecting users of older browsers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The wp-eMember plugin before 10.6.7 has a reflected XSS vulnerability due to unsanitized output of REQUEST_URI, affecting users of older browsers.
Vulnerability
The wp-eMember WordPress plugin versions before 10.6.7 fail to escape the $_SERVER['REQUEST_URI'] parameter before outputting it into an HTML attribute. This flaw allows an attacker to inject arbitrary JavaScript or HTML via a crafted URL that reflects back to the user. The vulnerability is present in any page that utilizes the unsanitized REQUEST_URI output. The issue is fixed in version 10.6.7 [1].
Exploitation
An attacker needs to craft a malicious URL containing a payload in the request URI and lure a victim using an older web browser (e.g., Internet Explorer) to click it. The payload is reflected back in the page's attribute context without proper encoding, leading to execution of the injected script in the victim's browser. No authentication or special privileges are required; only user interaction (clicking the link) is needed.
Impact
Successful exploitation results in reflected cross-site scripting (XSS). An attacker can execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, defacement, or redirection to malicious sites. The attack requires the victim to use an older browser that does not properly handle the attribute context, limiting the impact to such users.
Mitigation
Users should update the wp-eMember plugin to version 10.6.7 or later, which contains the fix [1]. As a workaround, ensure that no unsanitized server variables are output, but upgrading is the recommended solution. There is no evidence of this CVE being listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: <10.6.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output escaping of `$_SERVER['REQUEST_URI']` before it is reflected in an HTML attribute."
Attack vector
An attacker crafts a malicious URL containing JavaScript payload in the path or query string. When a visitor using an older web browser clicks the link, the plugin reflects the unescaped `$_SERVER['REQUEST_URI']` value into an HTML attribute, allowing the injected script to execute in the victim's browser [ref_id=1]. No authentication is required, and the attack is delivered via a crafted link.
Affected code
The plugin does not escape the `$_SERVER['REQUEST_URI']` parameter before outputting it back in an HTML attribute [ref_id=1]. The advisory does not specify the exact file or function name where this occurs.
What the fix does
The advisory states the fix was released in version 10.6.7 [ref_id=1]. No patch diff is available in the bundle, but the remediation involves properly escaping the `$_SERVER['REQUEST_URI']` value before outputting it in an attribute, preventing script injection.
Preconditions
- configThe victim must use an older web browser that does not properly handle context-aware output escaping
- inputThe attacker must trick the victim into clicking a crafted URL
- authNo authentication required
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/ba50e25c-7250-4025-a72f-74f8eb756246/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.