Sensitive Information Exposure in Ultimate Member Plugin for WordPress
CVE-2026-4248

8HIGH

Key Information:

Vendor

WordPress
Status
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vendor
CVE Published:
27 March 2026

What is CVE-2026-4248?

The Ultimate Member plugin for WordPress contains a vulnerability that allows authenticated attackers to expose sensitive information through the improper handling of the '{usermeta:password_reset_link}' template tag. This vulnerability affects all versions up to, and including, 2.11.2. By utilizing the '[um_loggedin]' shortcode within a pending post, attackers with Contributor-level access or higher can generate valid password reset tokens that, if previewed by an Administrator, can be exfiltrated to an external server. This situation could ultimately lead to a full account takeover, compromising the security of the affected WordPress site.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin * <= 2.11.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/ultimate-membe...
https://github.com/ultimatemember/ultimatemember/pull/1799

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

HDH
JSON
.