Plateforme
wordpress
Composant
wp-emember
Corrigé dans
10.2.3
CVE-2026-28073 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP eMember, a WordPress membership plugin. This flaw allows attackers to inject malicious JavaScript code into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability impacts versions prior to 10.2.3 and was publicly disclosed on March 19, 2026. A fix is available in version 10.2.3.
The impact of this XSS vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal session cookies, allowing the attacker to impersonate the user. Malicious scripts could also be used to redirect users to phishing sites, inject malware, or modify the content of the web page. Given the plugin's function as a membership system, successful exploitation could compromise sensitive user data, including login credentials and payment information. The attack vector is through crafted URLs containing malicious JavaScript payloads, which, if clicked by a user, will execute the code.
CVE-2026-28073 is not currently listed on KEV or EPSS. The CVSS score of 7.1 indicates a high probability of exploitation if the vulnerability is exposed. Public proof-of-concept exploits are likely to emerge given the ease of exploiting reflected XSS vulnerabilities. The vulnerability was publicly disclosed on March 19, 2026.
Websites utilizing WP eMember plugin, particularly those with user registration or membership features, are at risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromised website could potentially be used to attack other websites on the same server. Users who frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'tips and tricks hq wpemember' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep wpemember• wordpress / composer / npm:
curl -I <your_wordpress_site>/%3Cscript%3Ealert('XSS')%3C/script%• generic web: Inspect URL parameters for suspicious characters or JavaScript code. Monitor access logs for unusual requests containing XSS payloads.
disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-28073 is to immediately upgrade WP eMember to version 10.2.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious URL parameters. Input validation and output encoding on the server-side can also help prevent XSS attacks, though this is a more complex solution. Regularly scan your WordPress installation for vulnerabilities using a security plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-28073 is a Reflected XSS vulnerability in WP eMember versions before 10.2.3, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using WP eMember versions prior to 10.2.3. Check your plugin version and upgrade immediately if necessary.
Upgrade WP eMember to version 10.2.3 or later to patch the vulnerability. Consider WAF rules as a temporary workaround.
While no active exploitation is confirmed, the high CVSS score and ease of exploitation suggest a high probability of exploitation if the vulnerability remains unpatched.
Refer to the official WP eMember website and WordPress plugin repository for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.