Ultimate Member 1.2.98-1.2.997, Reflected XSS

The Ultimate Member plugin utilizes the Redux Framework. The Redux Framework includes a script named ‘class.p.php’, which acts as a HTTP proxy. Utilizing this script, it is possible to trigger a Reflected XSS attack, by loading data from a location controlled by the attacker. The data from this location is then output on the target domain, and as such JavaScript is executed under the context of the current user of the site.



CVSS Score


CSSS Vector


Attack Scope


Authorization Required



Update to version 1.3.0

Proof of Concept

If a user of the target site can be tricked into visiting the following URL (the page specified in the ‘url’ parameter would contain your XSS payload), then the HTML/JS within the target page will be executed under the context of the current user.



  • 2015-05-18: Discovered
  • 2015-05-18: Vendor notified
  • 2015-05-18: Vendor responded
  • 2015-06-11: Version 1.2.996 released – issue resolved
  • 2015-06-18: Advisory released
  • 2015-06-22: Notified that issue has in fact not been resolved – Vendor notified
  • 2015-7-07: Version 1.3.0 released – issue resolved (Redux framework updated)