CVE-2026-4248 HIGH

CVE-2026-4248: Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag

Vendor Ultimatemember
Product Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Weakness CWE-285
Published March 27, 2026
Last update April 8, 2026

CVSS base score

8.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which generates a valid password reset token for the currently logged-in user viewing the page. This makes it possible for authenticated attackers, with Contributor-level access and above, to craft a malicious pending post that, when previewed by an Administrator, generates a password reset token for the Administrator and exfiltrates it to an attacker-controlled server, leading to full account takeover.

Explanation of Vulnerability in Simple Terms

02Summary

Ultimate Member versions up to 2.11.2 contain an improper access control vulnerability that allows authenticated users to perform unauthorized actions. An attacker with a low-privilege account can read sensitive data, modify site content, or disrupt service by exploiting this flaw. User interaction is required to trigger the vulnerability. Update to a version newer than 2.11.2 to remediate.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify content, or disrupt service with a low-privilege user account.

Potential impact on your site

04Site Impact

Unauthorized users can access private member data, alter site content, or cause downtime on your membership site.

Conditions required to exploit

05Prerequisites

Attacker needs a valid low-privilege user account and must trick a user into clicking a malicious link.

Key dates

06Disclosure timeline

March 27, 2026 CVE published
April 8, 2026 Record updated