CVE-2026-1404 affects Ultimate Member and it is an unauthenticated reflected cross site scripting vulnerability that can be triggered through a crafted URL to a public Members List page. The important security property is that the attacker does not need an account. They only need to get a victim to load a link that contains a malicious filter parameter. If the injected value is reflected into the page without proper escaping, JavaScript executes in the context of the site origin. That enables classic XSS outcomes such as session token theft, credential phishing overlays, and background requests performed as the victim. On sites where administrators routinely browse the front end while logged in, the vulnerability can become a practical admin session compromise primitive.
| CVE | CVE-2026-1404 |
| Plugin Version | Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin |
| All Time | 13 046 675 |
| Active installations | 200 000+ |
| Publicly Published | February 17, 2026 |
| Last Updated | February 17, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2386 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/the-plus-addons-for-elementor-page-builder/the-plus-addons-for-elementor-addons-for-elementor-page-templates-widgets-mega-menu-woocommerce-647-incorrect-authorization-to-authenticated-author-arbitrary-draft-post-creation-via-post-type |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 13, 2026 | Plugin testing and vulnerability detection in the Ultimate Member have been completed |
| January 13, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| February 17, 2026 | Registered CVE-2026-1404 |
Discovery of the Vulnerability
The vulnerable surface is the Members List filtering mechanism where the page accepts dynamic filter parameters like filter_first_name_* and uses them to build the filter UI and output. The issue appears when the plugin takes the filter value from the query string and renders it back into the HTML without context correct escaping. A payload such as an image tag with an onerror handler demonstrates the bug because it does not depend on script tags. If the value is placed into the DOM as HTML rather than plain text, the browser parses it and executes the event handler. This is reflected XSS because the payload is not stored on the server. It is reflected from the request and executed only when the crafted URL is opened.
Understanding of Reflected XSS attack’s
Reflected XSS in WordPress front end pages is often exploited through social engineering. Attackers send a link through email, chat, social media, or support channels and rely on curiosity or trust to get the victim to click. Members List pages are common targets because they are public and often linked from navigation menus, so victims are more likely to accept them as legitimate. When an attacker can run JavaScript on the site origin, they can capture WordPress nonces present in the page, read sensitive data displayed in the DOM, and issue authenticated requests if the victim is logged in. Even when the victim is not logged in, XSS can still be used for credential harvesting by injecting fake login prompts that post to attacker endpoints, or for redirecting visitors to malware. Because Ultimate Member is used for community and membership sites, the presence of many logged in users increases the pool of victims, and that increases the likelihood of successful exploitation.
Exploiting the Reflected XSS Vulnerability
To exploit CVE-2026-1404, an attacker without any cookies:
POC:
Go to page with Members List and try to add filter parameter: http://127.0.0.1/wordpress/?page_id=379&filter_first_name_saxq3=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E____
The highest impact scenario is targeting administrators and moderators of the community. If an admin clicks the crafted link while logged in, the attacker can run script as the admin and perform privileged actions by chaining nonces and authenticated requests, which can lead to user takeover, plugin installation, or site configuration changes. A second scenario is mass user targeting. An attacker can spread the crafted URL inside forum posts, DMs, or emails to members, leading to widespread client side compromise such as session hijacking or phishing overlays. Because Ultimate Member sites often have registration enabled, attackers can also combine this with account creation to distribute malicious links internally, increasing trust and click through rates. The reputational impact can be immediate because users may see popups or strange behavior, and support teams may be flooded with reports. The vulnerability also creates a stepping stone for other attacks because XSS can be used to harvest nonces and then call endpoints that were assumed safe behind CSRF protections.
Recommendations for Improved Security
The fix requires strict output encoding of all filter parameter values before rendering them into HTML. Values should be treated as plain text and escaped using context correct functions for attributes and text nodes, and they should never be inserted as raw HTML. It is also prudent to validate filter parameter values server side and reject characters that have no legitimate meaning for names, such as angle brackets and quotes. On the client side, avoid sinks that interpret values as HTML. As operational mitigations, site owners should update Ultimate Member to a patched version when available, deploy a Content Security Policy where feasible to reduce exploit impact, and consider enabling web application firewall rules that block common XSS payload patterns in query parameters. Administrators should also avoid clicking untrusted links while logged in, using a separate browser profile for admin sessions, because reflected XSS is primarily a lure driven attack.
By taking proactive measures to address Reflected XSS like CVE-2026-1404 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #ReflectedXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website