Ultimate Member Plugin Vulnerability Allows Password Reset Link Disclosure

Ultimate Member, a popular WordPress membership plugin, has a critical vulnerability that allows authenticated contributors or higher to obtain password reset URLs for any user, including administrators. The flaw exists in all versions up to 2.11.4 and is caused by three logic errors: treating arbitrary posts as member directories, bypassing protected metadata restrictions, and failing to validate field names when generating user card data. Password reset links are temporary credentials that can be used to reset any account’s password, effectively enabling full account takeover. The vulnerability was rated 8.8/10 and could affect up to 200,000 WordPress installations. A patch is available in version 2.12.0, which adds stricter validation around member directory handling and allowed user data fields. Site owners using Ultimate Member should update immediately to version 2.12.0 or newer to close the exploit. Failure to patch could allow attackers to compromise admin accounts and gain full control of the site. The issue underscores the importance of keeping membership plugins up to date and monitoring for authenticated‑level access risks.