The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Ultimate Member WordPress plugin before version 2.12.0 contains a stored cross-site scripting (XSS) vulnerability in custom textarea profile fields. The plugin fails to properly sanitize and escape user-supplied content before rendering it on profile pages, enabling authenticated attackers with Subscriber-level permissions or higher to inject malicious JavaScript. When any user—including administrators with elevated privileges—views an affected profile, the injected script executes in their browser context. This is particularly dangerous because attackers can steal session cookies, harvest credentials, redirect users to phishing sites, or perform administrative actions on behalf of compromised users. Any WordPress installation using Ultimate Member is potentially affected if custom textarea fields are configured, making this a significant risk for community-driven sites, membership platforms, and organizations using this plugin for user management.
Casky's Claude AI-powered analysis would identify this vulnerability by mapping it to MITRE ATT&CK techniques including T1059 (Command and Scripting Interpreter) and T1566 (Phishing) patterns, detecting the characteristic signatures of stored XSS attacks. Practitioners using Casky would see findings related to insufficient input validation (CWE-79 class behaviors), improper output encoding during profile rendering, and privilege escalation pathways where low-privilege users can impact high-privilege accounts. The extended reasoning capability would correlate suspicious profile field modifications with subsequent script execution events, revealing the attack chain from injection point to payload execution. Security teams would receive actionable alerts highlighting the need to update the plugin, implement content security policies, and audit existing profile fields for injected content—moving beyond signature-based detection to understand the business logic flaws enabling the attack.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11766. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation