CVE-2025-15064
Ultimate Member <= 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via DOM GadgetsThe Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when "HTML support for user description" is enabled in Ultimate Member settings.
We have discovered 25,341 live websites that are affected by CVE-2025-15064.
Affected Software
| Product |  Ultimate Member |
| Category | Wordpress Plugins |
| Vulnerable Domains | 25,341 live websites (61% of Ultimate Member install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 109 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Apr 4, 2026
- Updated - Apr 8, 2026
Credits
- Kevin Wydler (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-15064 United States | 6,531 websites |
 Germany | 3,132 websites |
 France | 1,958 websites |
 Italy | 1,230 websites |
 GB | 1,208 websites |
 Spain | 1,067 websites |
 Netherlands | 589 websites |
 Canada | 562 websites |
 Switzerland | 499 websites |
 India | 448 websites |
Website Distribution by TLD
Number of websites using CVE-2025-15064| .com | 9,020 websites |
| .org | 2,595 websites |
| .de | 1,772 websites |
| .fr | 912 websites |
| .it | 848 websites |
| .net | 596 websites |
| .nl | 566 websites |
| .es | 520 websites |
| .co.uk | 516 websites |
| .ch | 386 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-15064
Top websites that are affected by CVE-2025-15064. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.com | United States | **,*** | |
| ***********.net | United States | **,*** | |
| **********.org | United States | **,*** | |
| ******.de | United States | **,*** | |
| **********.com | United States | **,*** | |
| ********.com | Canada | **,*** | |
| *************.net | United States | **,*** | |
| ********.**.il |  Israel | **,*** | |
| *********.com | United States | **,*** | |
| **.ru |  Russia | **,*** |
FAQ
CVE-2025-15064 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Ultimate Member
A total of 25,341 websites have been identified as vulnerable to CVE-2025-15064, based on global website indexing conducted by WebTechSurvey.
The Ultimate Member is affected by the CVE-2025-15064 vulnerability.
Ultimate Member versions up to and including 2.11.1 are vulnerable to CVE-2025-15064.