CVE-2026-7761: 
WordPress Analisi e mitigazione delle vulnerabilità

CVE-2026-7761 is a high-severity Account Takeover vulnerability in the Ultimate Member plugin for WordPress, caused by a chain of three logic bugs that enable Password Reset Link Disclosure. All versions up to and including 2.11.4 are affected. It was published on June 24, 2026, with a patch committed to the plugin repository the same day. The vulnerability carries a CVSS v3.1 base score of 8.8 (High) (GitHub Advisory, Wordfence).

The vulnerability is classified as CWE-862 (Missing Authorization) and results from three chained logic flaws in the Ultimate Member plugin. First, get_directory_by_hash() uses an MD5 hash fallback — computing SUBSTRING(MD5(post_id), 11, 5) — that allows any WordPress post to be treated as a member directory. Second, post_data() uses strstr() to check for the _um_ prefix in meta key names, which can be bypassed by placing _um_ anywhere in the key name rather than at the start, circumventing WordPress's protected meta key restrictions. Third, build_user_card_data() lacks field name validation, allowing arbitrary field names such as password_reset_link to be passed to um_filtered_value(), which then leaks live password reset URLs in the member directory AJAX response (GitHub Advisory, Wordfence). Exploitation requires at minimum Contributor-level authentication and leverages the WordPress XMLRPC interface to create the malicious post with crafted meta fields (GitHub Advisory).

A successful exploit allows an authenticated attacker with Contributor-level access or above to leak live password reset URLs for all users listed in the member directory, including site administrators, enabling full account takeover without knowing the target's credentials. The confidentiality, integrity, and availability impacts are all rated High, as an attacker who takes over an administrator account can fully compromise the WordPress site — modifying content, installing malicious plugins, exfiltrating data, or causing service disruption. The attack requires no user interaction and is exploitable remotely over the network (GitHub Advisory, Wordfence).

1. Gain Contributor Access: Register or obtain Contributor-level (or higher) credentials on the target WordPress site running Ultimate Member ≤ 2.11.4.
2. Create Malicious Post via XMLRPC: Use the WordPress XMLRPC interface (xmlrpc.php) to create a new post with crafted meta fields. The meta key must contain _um_ somewhere in its name (not necessarily at the start) to bypass the strstr() check in post_data(), and the meta value should inject password_reset_link into the tagline_fields configuration.
3. Compute MD5 Hash for Directory Lookup: Calculate SUBSTRING(MD5(post_id), 11, 5) for the newly created post's ID to obtain the hash value that get_directory_by_hash() will match.
4. Trigger Member Directory AJAX Handler: Send an AJAX request to the member directory endpoint using the computed MD5 hash as the directory identifier, pointing the handler to the attacker-controlled post.
5. Extract Password Reset Links: Parse the member directory AJAX response, which will now include live password_reset_link values for all users rendered in the directory, including administrators.
6. Perform Account Takeover: Use the leaked password reset URL for a target administrator account to set a new password and gain full administrative access to the WordPress site (GitHub Advisory, Wordfence).

• Network: Unusual or repeated AJAX POST requests to the WordPress member directory endpoint (e.g., wp-admin/admin-ajax.php with action=um_get_members) containing unexpected hash values not corresponding to legitimate member directory posts; XMLRPC requests (xmlrpc.php) from contributor-level accounts creating posts with suspicious meta keys containing _um_.
• Logs: WordPress access logs showing POST /xmlrpc.php from contributor accounts followed shortly by POST /wp-admin/admin-ajax.php?action=um_get_members; error or debug logs referencing get_directory_by_hash(), post_data(), or build_user_card_data() with unexpected inputs.
• File System / Database: WordPress wp_postmeta table entries with meta keys containing _um_ not at the start of the key name, or meta values referencing password_reset_link or tagline_fields in non-standard posts.
• Process/Behavior: Unexpected password reset events for administrator accounts not initiated by those users; new administrator sessions originating from IP addresses not associated with the legitimate admin (GitHub Advisory, Wordfence).

The fix was committed to the Ultimate Member plugin repository in changeset 3569970 on June 24, 2026; administrators should update to a version newer than 2.11.4 as soon as a patched release is published (GitHub Advisory). As interim mitigations, consider disabling XMLRPC access (xmlrpc.php) if not required for legitimate operations, restricting contributor-level registrations, and auditing existing posts in the database for suspicious meta fields containing password_reset_link or non-standard _um_ meta keys. Web application firewall (WAF) rules targeting malformed AJAX member directory requests may also reduce exposure until the patch is applied (Wordfence).

The vulnerability was discovered and reported by Wordfence, which assigned the CVE and published the initial advisory on June 24, 2026 (Wordfence). No significant broader media coverage or notable researcher commentary beyond the initial disclosure has been observed at this time.