Home/ Blog/ Security news/ Article
Blog · Security news

On 200,000 WordPress sites, a low-level user can quietly steal the admin's login

A contributor-level user can make Ultimate Member leak every user's password reset link, admins included. Affects versions through 2.11.4; fixed in 2.12.0

Member directory card wall on a WordPress site hiding a master key
By Suriq's Jack · ·Security news · 4 min read Mitigate now

A single contributor account is enough to take over the administrator of a WordPress site running the Ultimate Member plugin. The plugin handles user registration and member directories on more than 200,000 sites, and a flaw tracked as CVE-2026-7761 lets a low-privilege but logged-in user pull live password reset links for every other user, the administrator included. Wordfence rates it 8.8 out of 10. The fix is already out. If you run this plugin and have not moved to version 2.12.0, treat this as today's work.

Here is the part that should bother you: this is the second password-reset-link leak in Ultimate Member in three months, and the new one is harder to notice than the first.

What the flaw lets an attacker do

Ultimate Member can render a member directory, a public listing of registered users built from their profile fields. CVE-2026-7761 is three logic mistakes chained together that bend that directory into a leak.

  • A hashing shortcut that maps a directory to its page can be satisfied by any post, so an attacker can make a post they own behave like a member directory.
  • A faulty check on protected field names lets a reserved internal prefix slip through when it sits in the wrong place, so fields that should be off-limits stop being off-limits.
  • Missing validation on which profile fields a directory may request lets the attacker ask for one that was never meant to be public: the password reset link.

Put together, a contributor creates a post through the site's remote-publishing interface, points the directory machinery at it, and asks the directory to include each member's reset link in its response. The site hands back working reset URLs for everyone in that directory, administrators included. A reset link is all you need to set a new password and walk in.

The earlier flaw, CVE-2026-4248, leaked the same kind of reset link, but it needed an administrator to preview a malicious draft for the leak to fire. This one does not. The directory response is generated on demand from the attacker's own request, so no administrator has to do anything. That single difference, no human in the loop, is why the matching severity score understates the practical risk. The new path can be automated and left to run.

Why this keeps happening

The March patch, version 2.11.3, fixed CVE-2026-4248 by adding a denylist filter to the template feature that exposes the reset link. A denylist only blocks the inputs someone thought to block. The reset-link value is still reachable as a profile field; each patch closes one road to it rather than removing the field from the map. Until a password reset link can no longer be requested as if it were an ordinary public attribute, planning for a third variant is the safe bet. The durable fix is to stop treating a one-time account-recovery secret as just another renderable field. WordPress plugins keep shipping account-takeover bugs in their password reset flow, and the pattern rarely changes after a single point fix.

"It needs a contributor account" is weaker than it sounds

The attack requires a logged-in user at contributor level or above. That reads like a high bar until you remember what Ultimate Member is for. It is a membership and registration plugin. The sites that install it tend to run open or semi-open sign-up and hand elevated roles to community members, guest authors, and partners. On a static brochure site a contributor account is rare. On exactly the sites that run this plugin, accounts are the whole point. Treat any account at contributor or above here as a direct path to admin.

The patch is older than the warning

Version 2.12.0 shipped on June 12 and quietly fixed this flaw along with two other security issues. The CVE record and the public advisory only landed on June 24. For twelve days, sites with automatic plugin updates were already safe while sites that batch their updates were exposed and unaware. Now the details are public, so that second group is both exposed and easy to find. Mass campaigns hit WordPress plugins thousands of sites at a time, so the gap between a patch existing and a patch being applied is the entire contest.

What to do today

  • Update Ultimate Member to 2.12.0 or later. This is the fix. On a membership site with real user accounts, schedule it now rather than at the next maintenance window.
  • Audit accounts at contributor level and above. Remove roles nobody can account for, and tighten what new sign-ups are granted. Every such account is a possible launch point.
  • Lock down remote publishing. The chain creates its malicious post through XML-RPC, the older remote-publishing interface. If your site does not rely on it, disabling it removes this step and a long list of other abuse with it.
  • If you suspect exposure, rotate now. Force a password reset and invalidate active sessions for administrators. A leaked reset link stays usable until that account's password actually changes.

The score on this one is high, the patch is easy, and the access it requires is exactly the access these sites give away by design. The only variable left is how fast you apply 2.12.0.

Topics
WordPress security

Frequently asked questions

What is CVE-2026-7761?

CVE-2026-7761 is an account takeover flaw in the Ultimate Member WordPress plugin, affecting releases through 2.11.4. A logged-in user with contributor access or higher can make the member directory return live password reset links for other users, administrators included. Wordfence scores it 8.8 out of 10.

Which versions are affected and what fixes it?

Every Ultimate Member version through 2.11.4 is affected. The fix is version 2.12.0, released on June 12, 2026, which also resolved two other security issues. Update to 2.12.0 or later to close the flaw.

Is CVE-2026-7761 being actively exploited?

There are no public reports of active exploitation as of June 24, 2026. The risk is still real. Flaws like this in popular WordPress plugins are commonly used in mass campaigns against thousands of sites once details are public, and the technical details are now disclosed.

Does the attacker need an account on the site?

Yes. The attack needs a logged-in account at contributor level or above. That sounds limiting, but Ultimate Member is a membership and registration plugin, so the sites that run it often grant contributor or higher roles to community members and guest authors, which makes the bar low in practice.

How is this different from the earlier Ultimate Member bug?

The earlier flaw, CVE-2026-4248, leaked the same password reset links but needed an administrator to preview a malicious draft. CVE-2026-7761 needs no administrator action: the member directory returns the reset links on demand, so the attack can be automated and run without a victim's help.

Keep reading
Security news

A new flaw lets attackers take over Quest NetVault backup servers, login or not

CVE-2026-7570 is a SQL-injection-to-remote-code-execution flaw in Quest NetVault Backup, rated 8.8. The login can be bypassed. Quest fixed it in 14.0.2.

Noam Alum · Jun 24, 2026
Security news

Police seized the malware that stole 27 million passwords. The passwords still work.

Operation Endgame seized the servers behind the Amadey and StealC malware, but the 27 million credentials they already stole stay valid until you rotate them.

Suriq's Jack · Jun 24, 2026
Security news

The free plugin was clean. The paid update is what backdoored these WordPress sites.

Backdoored ShapedPlugin Pro updates stole admin logins and 2FA seeds from WordPress sites between April and June 2026. A password reset alone will not clear it.

Noam Alum · Jun 24, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan