CVE-2026-7761 (GCVE-0-2026-7761)

Vulnerability from cvelistv5 – Published: 2026-06-24 06:49 – Updated: 2026-06-24 06:49
VLAI
Title
Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure
Summary
The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.
Severity
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Credits
Kevin Wydler
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Ultimate Member \u2013 User Profile, Registration, Login, Member Directory, Content Restriction \u0026 Membership Plugin",
          "vendor": "ultimatemember",
          "versions": [
            {
              "lessThanOrEqual": "2.11.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kevin Wydler"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress\u0027s protected meta key restrictions by placing \u0027_um_\u0027 anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including \u0027password_reset_link\u0027 to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject \u0027password_reset_link\u0027 into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T06:49:37.493Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9aff7b03-4f03-434c-be87-b10ceeb4e625?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L2726"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-member-directory.php#L2726"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L289"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-member-directory.php#L289"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-query.php#L439"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-query.php#L439"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/um-short-functions.php#L2611"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/um-short-functions.php#L2611"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3569970/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-04T04:12:16.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-23T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Ultimate Member \u003c= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-7761",
    "datePublished": "2026-06-24T06:49:37.493Z",
    "dateReserved": "2026-05-04T03:56:30.381Z",
    "dateUpdated": "2026-06-24T06:49:37.493Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-7761",
      "date": "2026-06-24",
      "epss": "0.00499",
      "percentile": "0.38823"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.