CVE-2026-28073

Vulnerability

Overview

The WP eMember plugin for WordPress, versions up to and including v10.2.2, contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a page, which is then executed in the context of the victim's browser.

Exploitation

Prerequisites

Exploitation requires user interaction—a privileged user (e.g., an administrator) must click a malicious link, visit a specially crafted page, or submit a form [1]. The attack does not require authentication for the initial injection, but the payload is only triggered when a targeted user performs the action. This makes it suitable for mass-exploit campaigns targeting thousands of sites regardless of size or popularity [1].

Impact

Successful exploitation allows an attacker to execute malicious scripts in the victim's browser, potentially leading to session hijacking, redirection to malicious sites, injection of advertisements, or other HTML payloads [1]. The CVSS v3 score of 7.1 (High) reflects the moderate complexity and potential for widespread abuse.

Mitigation

As of the publication date, no official patch has been released for the affected versions. Users are advised to update the plugin immediately when a fix becomes available [1]. In the interim, Patchstack has issued a mitigation rule to block attacks until an official patch can be tested and safely applied [1]. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended.