Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the βUltimate Member - User Profile & Membershipβ plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the βPrimary button Textβ or βSecond button textβ field.