Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-7761— Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure

CVSS 8.8 · High EPSS 0.50% · P39
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-7761

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Ultimate Member Ultimate Member授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Ultimate Member Ultimate Member是Ultimate Member团队的一款用户会员管理插件。 Ultimate Member Ultimate Member2.11.4及之前版本存在授权问题漏洞,该漏洞源于一系列逻辑漏洞:MD5哈希回退、strstr()解析逻辑缺陷以及字段名验证缺失,可能导致经过身份验证的攻击者通过泄露密码重置链接实现账户接管。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

II. Public POCs for CVE-2026-7761

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-7761

登录查看更多情报信息。

Patches & Fixes for CVE-2026-7761 (2)

Other References for CVE-2026-7761 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-7761

No comments yet


Leave a comment