Platform
wordpress
Component
wp-emember
Fixed in
10.2.3
CVE-2026-28073 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP eMember, a WordPress membership plugin. This flaw allows attackers to inject malicious JavaScript code into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability impacts versions prior to 10.2.3 and was publicly disclosed on March 19, 2026. A fix is available in version 10.2.3.
The impact of this XSS vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal session cookies, allowing the attacker to impersonate the user. Malicious scripts could also be used to redirect users to phishing sites, inject malware, or modify the content of the web page. Given the plugin's function as a membership system, successful exploitation could compromise sensitive user data, including login credentials and payment information. The attack vector is through crafted URLs containing malicious JavaScript payloads, which, if clicked by a user, will execute the code.
CVE-2026-28073 is not currently listed on KEV or EPSS. The CVSS score of 7.1 indicates a high probability of exploitation if the vulnerability is exposed. Public proof-of-concept exploits are likely to emerge given the ease of exploiting reflected XSS vulnerabilities. The vulnerability was publicly disclosed on March 19, 2026.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28073 is to immediately upgrade WP eMember to version 10.2.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious URL parameters. Input validation and output encoding on the server-side can also help prevent XSS attacks, though this is a more complex solution. Regularly scan your WordPress installation for vulnerabilities using a security plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28073 is a Reflected XSS vulnerability in WP eMember versions before 10.2.3, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using WP eMember versions prior to 10.2.3. Check your plugin version and upgrade immediately if necessary.
Upgrade WP eMember to version 10.2.3 or later to patch the vulnerability. Consider WAF rules as a temporary workaround.
While no active exploitation is confirmed, the high CVSS score and ease of exploitation suggest a high probability of exploitation if the vulnerability remains unpatched.
Refer to the official WP eMember website and WordPress plugin repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.