Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable AJAX/XMLRPC (AV:N), scriptable chain (AC:L), requires Contributor account (PR:L), no victim interaction (UI:N), and leaked reset links yield admin takeover (C:H/I:H/A:H).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.
Articles & Coverage 1
AnalysisAI
Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a WordPress site running Ultimate Member ≤ 2.11.4 with an authenticated user at Contributor role or above (PR:L per CVSS), reachable XMLRPC (the standard /xmlrpc.php endpoint, enabled by default) to create the malicious post and meta, and the Ultimate Member member directory AJAX handler reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H justifies the 8.8 High rating: the attack is network-reachable, scriptable, requires only a Contributor account, and yields administrator takeover (full C/I/A impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a Contributor account on a target WordPress site running Ultimate Member ≤ 2.11.4, then uses XMLRPC to create a draft post with crafted meta keys whose names embed '_um_' mid-string, defining a directory configuration whose tagline_fields includes 'password_reset_link'. The attacker computes SUBSTRING(MD5(their_post_id), 11, 5), calls the member directory AJAX endpoint with that hash, and receives a JSON response containing live password reset URLs for every user including administrators, which they redeem to set a new admin password and take over the site. … |
| Remediation | Upstream fix available (commit 3569970 in the plugin's trac repository); released patched version not independently confirmed from the supplied data, so administrators should install the next Ultimate Member release after 2.11.4 published via the WordPress.org plugin repository and verify the version exceeds 2.11.4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress sites running Ultimate Member plugin ≤2.11.4; enumerate active contributor accounts; note that no public exploit code has been identified to date. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38714
GHSA-qqfq-fg56-qv34