Platform
wordpress
Component
ultimate-member
Fixed in
2.11.3
CVE-2026-4248 is a sensitive information exposure vulnerability in the Ultimate Member plugin for WordPress. It allows authenticated attackers to generate password reset tokens for administrators by crafting malicious posts. This affects versions up to and including 2.11.2. The vulnerability is fixed in version 2.11.3.
CVE-2026-4248 in the Ultimate Member plugin for WordPress presents a Sensitive Information Exposure vulnerability. The issue stems from the processing of the '{usermeta:passwordresetlink}' template tag within post content via the '[um_loggedin]' shortcode, generating a valid password reset token for the currently logged-in user viewing the page. An authenticated attacker, with Contributor-level access or higher, can craft a malicious pending post that, upon publication, exposes this token, potentially allowing unauthorized users to reset the affected user’s password. The risk is amplified if the pending post is shared or accessed before publication, as the token remains valid.
An attacker with Contributor or higher access can create a pending post including the '[umloggedin]' shortcode and the '{usermeta:passwordreset_link}' template tag. When this pending post is viewed (either by the attacker or another user), a valid password reset token for the viewing user is generated. If this pending post is published, the token becomes accessible to anyone who can access the post, potentially allowing an attacker to reset the affected user’s password. The risk is heightened if the post is shared publicly or indexed by search engines.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The resolution to this vulnerability is to update the Ultimate Member plugin to version 2.11.3 or later. This update corrects how template tags are handled within post content, preventing the generation of publicly accessible password reset tokens. As a preventative measure, review and delete any pending posts containing the '{usermeta:passwordresetlink}' tag before updating the plugin. Additionally, limiting user permissions to necessary roles can reduce the risk of exploitation by users with lower privileges.
Update to version 2.11.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
A password reset token is a unique code generated when a user requests to reset their password. It's used to verify the user's identity and allow them to set a new password.
If a password reset token is publicly accessible, an attacker can use it to reset a user's password without their consent, potentially allowing them to access sensitive information or perform malicious actions on behalf of the user.
If you suspect your account has been compromised, change your password immediately and enable two-factor authentication if available. You should also notify the website administrators.
You can verify the version of the Ultimate Member plugin in the WordPress admin dashboard, under the 'Plugins' section. If you have a version prior to 2.11.3, update it to the latest available version.
Yes, there are many other security measures you can take to protect your website, such as keeping software updated, using strong passwords, installing a security plugin, and performing regular backups.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.