WordPress Plugin Vulnerabilities

Ultimate Member < 2.11.3 - Contributor+ Account Takeover via Shortcode Template Tag

Description

The plugin is vulnerable to Sensitive Information Exposure due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which generates a valid password reset token for the currently logged-in user viewing the page. This makes it possible for authenticated attackers, with Contributor-level access and above, to craft a malicious pending post that, when previewed by an Administrator, generates a password reset token for the Administrator and exfiltrates it to an attacker-controlled server, leading to full account takeover.

Affects Plugins

Plugin icon
ultimate-member
Fixed in 2.11.3

References

CVE
CVE-2026-4248
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/baafd001-144d-4ee4-b7e6-28c0931e6e10

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
HDH
Verified
No
WPVDB ID
aeaa9275-2532-44ed-a267-186f1c9da8f6

Timeline

Publicly Published
2026-03-27 (about 1 month ago)
Added
2026-03-30 (about 1 month ago)
Last Updated
2026-03-30 (about 1 month ago)

Other

Published
Title
Published
2024-03-07
Title
Simple Restrict < 1.2.7 - Missing Authorization to Sensitive Information Exposure
Published
2022-01-14
Title
WP Import Export < 3.9.16 - Unauthenticated Sensitive Data Disclosure
Published
2026-01-26
Title
FullCalendar <= 1.6 - Unauthenticated Information Exposure
Published
2024-08-15
Title
Relevanssi < 4.23.0 - Unauthenticated Information Exposure
Published
2024-07-12
Title
Zephyr Project Manager < 3.3.100 - Unauthenticated Information Exposure