CVE-2026-7761
Deferred Deferred - Pending Action

Account Takeover via Password Reset Link Disclosure in Ultimate Member

Vulnerability report for CVE-2026-7761, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Wordfence

Description

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultimate_member ultimate_member to 2.11.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Ultimate Member plugin for WordPress has a vulnerability that allows an attacker to take over accounts by leaking password reset links. This happens because of a combination of three logic bugs: first, an MD5 hash fallback lets any post be used as a member directory; second, a parsing flaw allows bypassing restrictions on protected meta keys; third, missing validation allows arbitrary field names, including 'password_reset_link', to be injected. An attacker with Contributor-level access or higher can create a malicious post with crafted meta fields, use the MD5 fallback to point the member directory to their post, inject the password reset link into the configuration, and leak live password reset URLs for all users, including administrators.

Impact Analysis

This vulnerability can lead to account takeover by exposing live password reset URLs for all users in the member directory response. An attacker with Contributor-level access or above can exploit this to gain unauthorized access to user accounts, including administrator accounts, potentially compromising the entire WordPress site.

Compliance Impact

The vulnerability allows authenticated attackers to leak live password reset URLs for all users, including administrators, which can lead to unauthorized account takeover.

Such unauthorized access and exposure of sensitive user credentials can result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information.

Therefore, this vulnerability poses a significant risk to compliance with these standards by potentially exposing user data and compromising account security.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart