Skip to main content

Ultimate Member EUVDEUVD-2026-38714

| CVE-2026-7761 HIGH
Missing Authorization (CWE-862)
2026-06-24 Wordfence GHSA-qqfq-fg56-qv34
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable AJAX/XMLRPC (AV:N), scriptable chain (AC:L), requires Contributor account (PR:L), no victim interaction (UI:N), and leaked reset links yield admin takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 08:00 vuln.today
CVE Published
Jun 24, 2026 - 06:49 cve.org
HIGH 8.8

DescriptionCVE.org

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.

AnalysisAI

Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Contributor account on target site
Delivery
Create malicious draft post via XMLRPC with crafted '_um_' meta
Exploit
Compute MD5 substring hash of attacker post ID
Install
Call member directory AJAX with forged hash
C2
Plugin returns password reset URLs for admins
Execute
Redeem reset URL to set new admin password
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation Requires a WordPress site running Ultimate Member ≤ 2.11.4 with an authenticated user at Contributor role or above (PR:L per CVSS), reachable XMLRPC (the standard /xmlrpc.php endpoint, enabled by default) to create the malicious post and meta, and the Ultimate Member member directory AJAX handler reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H justifies the 8.8 High rating: the attack is network-reachable, scriptable, requires only a Contributor account, and yields administrator takeover (full C/I/A impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor account on a target WordPress site running Ultimate Member ≤ 2.11.4, then uses XMLRPC to create a draft post with crafted meta keys whose names embed '_um_' mid-string, defining a directory configuration whose tagline_fields includes 'password_reset_link'. The attacker computes SUBSTRING(MD5(their_post_id), 11, 5), calls the member directory AJAX endpoint with that hash, and receives a JSON response containing live password reset URLs for every user including administrators, which they redeem to set a new admin password and take over the site. …
Remediation Upstream fix available (commit 3569970 in the plugin's trac repository); released patched version not independently confirmed from the supplied data, so administrators should install the next Ultimate Member release after 2.11.4 published via the WordPress.org plugin repository and verify the version exceeds 2.11.4. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress sites running Ultimate Member plugin ≤2.11.4; enumerate active contributor accounts; note that no public exploit code has been identified to date. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38714 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy