Admin Takeover Flaw in WordPress 'Ultimate Member' (CVE-2026-7761) — Update to v2.12.0 Now
Ultimate Member, a membership-site plugin used by over 200,000 sites, has a flaw letting a Contributor-level user take over an administrator. CVE-2026-7761, severity CVSS 8.8. Versions 2.11.4 and earlier are affected; update to the latest 2.12.0. An attacker can steal the admin's password reset link and seize the entire site.
Makoto Horikawa
Backend Engineer / AWS / Django
Ultimate Member, a membership-site plugin used by over 200,000 sites, has a flaw letting a Contributor-level user take over an administrator. CVE-2026-7761, severity CVSS 8.8. Versions 2.11.4 and earlier are affected; update to the latest 2.12.0. An attacker can steal the admin's password reset link and seize the entire site.
A membership-site building plugin used by over 200,000 sites worldwide, "Ultimate Member," has been found to contain a vulnerability (a software flaw) that lets a low-privilege user take over an administrator account. It is tracked as CVE-2026-7761, with a severity of 8.8 out of 10 (High).
The affected versions are 2.11.4 and earlier. It was found by the WordPress security firm Wordfence and disclosed on June 24, 2026. The fix is included in the latest version, 2.12.0 (released June 12). Because a user with only enough privilege to write posts can steal an administrator's password reset link and seize the entire site, any site running an older version needs to update right away.
What is the Ultimate Member plugin?
Ultimate Member is a plugin (an add-on component) that adds member registration, login, members-only pages, and member directories to a WordPress site. It is widely used to build "sites only members can see," such as online communities, paid membership sites, and internal portals.
According to its official distribution page, it currently runs on more than 200,000 sites. Because of its membership nature, such sites tend to accumulate users' personal information, making it one of the plugins whose compromise has a large impact.
This plugin also has a history of being attacked in the real world. In 2023, a large-scale attack campaign exploiting a different flaw was confirmed, creating rogue administrator accounts on many sites. The fact that it is recognized by attackers as a "plugin worth targeting" is a reason not to take this latest vulnerability lightly.
Who targets it, what they do, and what happens
First, it is important to note that this is not the kind of flaw anyone can exploit from outside in a single shot. The attack requires an account with "Contributor" privileges or higher.
With that in mind, the target is a Contributor-level user who has slipped into a membership site that hands out accounts to outsiders through registration or guest contributions. On media sites where anyone can submit articles, sites with open writer registration, or communities accepting guest posts, an attacker meets the precondition simply by registering as an ordinary contributor.
What that contributor does is create a crafted draft post and hijack the administrator's own password reset link the moment the administrator previews it. The administrator thinks they merely opened a draft to check its contents, but behind the scenes a link that can change their password slips into the attacker's hands.
Having obtained the link, the attacker can change the administrator's password to one of their choosing and log in. At that point they can do anything: steal members' personal data, deface the site, add fake administrator accounts, even plant malicious files. For the company or individual running the membership site this goes straight to a matter of trust, and for the registered members it goes straight to the risk of a personal-data leak.
When a plugin vulnerability starts being used in real attacks, it can be added to the U.S. agency CISA's "list of vulnerabilities under active attack." We maintain a Japanese-language overview in our CISA KEV Dashboard (Japanese edition).
What the vulnerability is
CVE-2026-7761 is in fact not a single flaw but a chain of three small logic gaps. Moreover, a nearly identical vulnerability was found in March (CVE-2026-4248), and what stands out this time is that it slips past that earlier fix through a new path. Let us look at each in turn.
CVE-2026-7761: a chain of three gaps that steals the admin's reset link (CVSS 8.8)
Ultimate Member has a feature where writing an insertion tag like "{usermeta:password_reset_link}" in a post's body replaces it with the password reset link for the user viewing that spot. It is meant as a convenience for members, but it became the entry point for abuse.
According to Wordfence's analysis, the attack works by chaining three flaws. First, a fallback to an old method (an MD5 hash) remains in how posts are matched, allowing posts to be swapped. Second, the check that restricts which insertion tags are allowed can be bypassed by crafting the syntax. Third, weak field validation makes it possible to force the value "password_reset_link" to be inserted.
Combining these three, the moment an administrator previews a draft prepared by a Contributor-level attacker, a password reset link for the administrator is generated and leaks out to a destination the attacker set up. The attacker uses that link to change the administrator's password, achieving a complete takeover.
CVE-2026-4248: the March precursor of the same type (CVSS 8.0)
A vulnerability targeting the same insertion tag was disclosed in March 2026 as CVE-2026-4248. It also affected versions 2.11.2 and earlier: a Contributor-level user creates a draft combining the "[um_loggedin]" shortcode (a simple command) with the insertion tag, and when an administrator previews it, that password reset link is stolen.
The developer fixed this in version 2.11.3 (released March 26) by adding a denylist (blacklist) to the insertion conversion. But this time's CVE-2026-7761 slips past that denylist through a different path. In other words, this is the "second fix for the same goal." Updating only to 2.11.3 or 2.11.4 does not fully close this flaw, so you must go all the way to the latest version.
A quick check of whether your site is affected
For this latest flaw (CVE-2026-7761), the affected versions are 2.11.4 and earlier. It is fixed in the latest 2.12.0. Check the Ultimate Member version in the "Plugins" list of your admin screen.
| Your version | CVE-2026-7761 (this one) | CVE-2026-4248 (March) | What to do |
|---|---|---|---|
| 2.11.2 and earlier | Affected | Affected | Top priority: update to 2.12.0 |
| 2.11.3 – 2.11.4 | Affected | Fixed | Update to 2.12.0 |
| 2.12.0 and later | Fixed | Fixed | No action needed |
Sites that hand out Contributor-or-higher privileges to outsiders need particular care. Because the attack's precondition is "a Contributor-level account," the more open your registration and contribution setup, the higher the risk.
What to do now
The top priority is to update Ultimate Member to the latest version, 2.12.0. You can update it in a few clicks from the WordPress admin screen. Since this flaw is a second one that slips past the March fix, do not assume "I updated in March, so I am fine"; make sure you are on 2.12.0 or later.
If you cannot update immediately, these mitigations help. If you grant Contributor-or-higher privileges to outsiders through registration or contributions, temporarily disable the plugin or restrict new privilege grants. Inspect for any suspicious drafts, unfamiliar administrator accounts, or unrecognized posts and redirect settings. Check whether any unexpected password-change notifications have arrived. If you cannot judge the situation, the safe course is to restore from a trusted backup and consult an expert.
WordPress plugin vulnerabilities are disclosed in large numbers almost every month. Dozens were published at once in June as well; you can see the full picture in our June 2026 WordPress plugin vulnerability roundup. Deleting plugins you do not use and frequently updating the ones you need is the strongest defense.
Summary
CVE-2026-7761 in Ultimate Member is a vulnerability in which a Contributor-level user steals an administrator's password reset link and takes over the site. Its severity is CVSS 8.8. It starts from the same "insertion tag" as March's CVE-2026-4248, and what to watch for is that it is a new path slipping past that earlier fix.
Because it is a plugin used on more than 200,000 sites and previously hit by large-scale attacks, the risk of leaving it unpatched is not small. The affected versions are 2.11.4 and earlier, and it is fixed in the latest 2.12.0. If you run a membership site, first check your version and, if it is old, update now. If new vulnerabilities concerning Ultimate Member emerge, we will track them by adding to this article.
References
- ▸NVD - CVE-2026-7761 (Ultimate Member admin takeover)
- ▸Wordfence - Ultimate Member vulnerability intelligence
- ▸NVD - CVE-2026-4248 (the same-type flaw disclosed in March)
- ▸GitHub Advisory Database - GHSA-65gh-443q-r8g2 (CVE-2026-4248)
- ▸WordPress.org - Ultimate Member page (installs, changelog)
- ▸Search Engine Journal - Ultimate Member Vulnerability Allows Full Site Takeover
- ▸WPScan - Past large-scale Ultimate Member attack campaign
- ▸Ultimate Member - Security Incident Update and Recommended Actions