The wp-eMember WordPress plugin before 10.6.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
https://wpscan.com/vulnerability/ba50e25c-7250-4025-a72f-74f8eb756246/