Account Takeover Vulnerability in Ultimate Member Plugin for WordPress
CVE-2026-7761

8.8HIGH

Key Information:

Vendor: WordPress
Status: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-7761?

The Ultimate Member plugin for WordPress has a vulnerability that allows authenticated users with Contributor-level access or higher to perform account takeover attacks. This is facilitated by a series of logic flaws: an insecure MD5 hash fallback process that enables malicious posts to be exploited as member directories, a parsing issue that bypasses restrictions on WordPress's meta keys by altering their format, and a lack of validation for field names. These flaws allow attackers to generate and leak sensitive password reset links for any user in the member directory, potentially compromising accounts, including those of administrators.

Affected Version(s)

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 0 <= 2.11.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ultimate-membe...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 4, 2026

Credit

Kevin Wydler

CVE-2026-7761 Data

JSON