Security Alert Summary
The Ultimate Member plugin for WordPress contains a sensitive information exposure vulnerability that can be triggered by authenticated users with Contributor-level access or higher. A template tag processed in post content via a shortcode can generate and expose a valid password reset token for the currently logged-in administrator when a crafted pending post is previewed.
CVE Details
- CVE ID: CVE-2026-4248
- Affected plugin / component: Ultimate Member plugin for WordPress
- Affected versions: All versions up to and including 2.11.2
- Published: March 27, 2026 at 11:17:14 PM UTC
- Last modified: March 27, 2026 at 11:17:14 PM UTC
- CVSS v3.1: Base Score 8.0, Severity HIGH
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low (requires a user with Contributor-level access or higher)
- User Interaction: Required
- Scope: Unchanged
- Primary impact:
- Confidentiality: High
- Integrity: High
- Availability: High
- CWE / weakness ID: CWE-285
Technical Details
This vulnerability exists because the {usermeta:password_reset_link} template tag is processed inside post content when the [um_loggedin] shortcode is rendered. When that tag is processed it can generate a valid password reset token for the currently logged-in user viewing the page.
An authenticated attacker with Contributor-level access or higher can create a crafted pending post containing the template tag and any necessary payload to exfiltrate the generated token to an attacker-controlled server. If an Administrator previews that pending post (for example, when reviewing pending content), the plugin will process the shortcode and template tag in the Administrator’s context, produce a password reset token for the Administrator, and the post content can send that token to the attacker. The token exposure can lead to account takeover of the targeted Administrator account.
This description is based on the processing of the named template tag and shortcode and does not assume additional vulnerabilities beyond the behavior described.
How This Could Impact Your Website
Consider a typical small organization running WordPress where the site owner assigns content creation to external contributors or contractors. A contractor with Contributor access could submit a pending post containing the vulnerable template tag and an exfiltration mechanism. If an internal staff member or the Administrator previews that pending post, a password reset token for that Administrator account could be generated and sent to the attacker. An attacker in possession of a valid reset token may be able to reset the Administrator password and gain control of the account, which can lead to unauthorized administrative actions.
Practical consequences include exposure of privileged account credentials, increased risk of targeted phishing or social engineering using legitimate account access, and potential unauthorized changes to site content or settings. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially Contributor-level accounts.
- Enforce strong passwords and two-factor authentication for Editors and Administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, especially pending posts and previews.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://github.com/ultimatemember/ultimatemember/pull/1799
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/um-short-functions.php#L205
- https://plugins.trac.wordpress.org/changeset/3492178/ultimate-member/trunk/includes/um-short-functions.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/baafd001-144d-4ee4-b7e6-28c0931e6e10?source=cve
