CVE-2026-7761

EPSS 0.5%
Veröffentlicht 24.06.2026 06:49:37
Zuletzt bearbeitet 24.06.2026 21:16:58
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 13

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerultimatemember

≫

Produkt Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Default Statusunaffected

Version <= 2.11.4

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.5%	0.388

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/9aff7b03-4f03-434c-be87-b10ceeb4e625?source=cve

https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L2726

https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-member-directory.php#L2726

https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-member-directory.php#L289

https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-member-directory.php#L289

https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/class-query.php#L439

https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/core/class-query.php#L439

https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/um-short-functions.php#L2611

https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.4/includes/um-short-functions.php#L2611

https://plugins.trac.wordpress.org/changeset/3569970/

https://nvd.nist.gov/vuln/detail/CVE-2026-7761

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-7761

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-7761

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-7761