Plataforma
wordpress
Componente
wp-emember
Corrigido em
10.2.3
CVE-2026-28073 describes a Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP eMember, a WordPress membership plugin. This flaw allows attackers to inject malicious JavaScript code into web pages viewed by other users, potentially leading to session hijacking, data theft, or defacement. The vulnerability impacts versions prior to 10.2.3 and was publicly disclosed on March 19, 2026. A fix is available in version 10.2.3.
The impact of this XSS vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be exploited to steal session cookies, allowing the attacker to impersonate the user. Malicious scripts could also be used to redirect users to phishing sites, inject malware, or modify the content of the web page. Given the plugin's function as a membership system, successful exploitation could compromise sensitive user data, including login credentials and payment information. The attack vector is through crafted URLs containing malicious JavaScript payloads, which, if clicked by a user, will execute the code.
CVE-2026-28073 is not currently listed on KEV or EPSS. The CVSS score of 7.1 indicates a high probability of exploitation if the vulnerability is exposed. Public proof-of-concept exploits are likely to emerge given the ease of exploiting reflected XSS vulnerabilities. The vulnerability was publicly disclosed on March 19, 2026.
Websites utilizing WP eMember plugin, particularly those with user registration or membership features, are at risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a compromised website could potentially be used to attack other websites on the same server. Users who frequently click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'tips and tricks hq wpemember' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep wpemember• wordpress / composer / npm:
curl -I <your_wordpress_site>/%3Cscript%3Ealert('XSS')%3C/script%• generic web: Inspect URL parameters for suspicious characters or JavaScript code. Monitor access logs for unusual requests containing XSS payloads.
disclosure
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-28073 is to immediately upgrade WP eMember to version 10.2.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious URL parameters. Input validation and output encoding on the server-side can also help prevent XSS attacks, though this is a more complex solution. Regularly scan your WordPress installation for vulnerabilities using a security plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-28073 is a Reflected XSS vulnerability in WP eMember versions before 10.2.3, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using WP eMember versions prior to 10.2.3. Check your plugin version and upgrade immediately if necessary.
Upgrade WP eMember to version 10.2.3 or later to patch the vulnerability. Consider WAF rules as a temporary workaround.
While no active exploitation is confirmed, the high CVSS score and ease of exploitation suggest a high probability of exploitation if the vulnerability remains unpatched.
Refer to the official WP eMember website and WordPress plugin repository for the latest security advisories and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.