Description
The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Ultimate Member plugin enables authenticated attackers with Contributor role or higher to perform an account takeover by leaking password reset URLs. Through a combination of three logic flaws, an attacker can create a malicious post, hijack the directory retrieval mechanism, inject a 'password_reset_link' field, and obtain live reset links for all users in the directory response, including administrators. This flaw undermines the confidentiality and integrity of the user accounts, allowing attackers to reset passwords and gain full control of any account.

Affected Systems

All releases of Ultimate Member up to and including 2.11.4 are affected. The plugin is a WordPress extension that manages user profiles, registrations, login workflows, member directories, content restriction, and membership features. Any site running an unpatched 2.11.4 or older installation of the plugin is at risk.

Risk and Exploitability

The issue carries a CVSS base score of 8.8, indicating a high severity; EPSS data is not available, and the vulnerability is not yet catalogued in the CISA KEV list. Exploitation requires an authenticated Contributor-level user and the ability to submit an XMLRPC request to the WordPress instance, which is commonly available. The assembled attack chain demonstrates that a relatively low technical skill is sufficient to generate the required payloads. Consequently, the risk to systems running the affected plugin is significant, especially for sites with broad Contributor access or exposed XMLRPC endpoints.

Generated by OpenCVE AI on June 24, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ultimate Member plugin to the latest available version where the logic bugs are fixed.
  • Disable XMLRPC for all non‑admin users or restrict access to trusted administrators only.
  • Restrict or revoke Contributor permissions for users who do not need posting capabilities, or apply a role‑based access control plugin to limit the ability to create posts.
  • Monitor user activity for unexpected password reset link exposures, and use a security plugin to block or filter the 'password_reset_link' meta field on output.

Generated by OpenCVE AI on June 24, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Ultimatemember
Ultimatemember ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Wordpress
Wordpress wordpress
Vendors & Products Ultimatemember
Ultimatemember ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.
Title Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ultimatemember Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T06:49:37.493Z

Reserved: 2026-05-04T03:56:30.381Z

Link: CVE-2026-7761

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:45:04Z

Weaknesses