Urgent announcement for all WordPress users. A severe account takeover vulnerability (CVE-2026-7761) stemming from insufficient authentication has been reported in the popular 'Ultimate Member' plugin, which provides rich user management features. If exploited, this vulnerability could allow arbitrary user accounts to be compromised, potentially causing significant damage to website operations. A patched version has been released by the developers, so engineers using affected versions should apply the update immediately. This information was reported by security media on June 26, 2026.
Vulnerability Overview and Scope of Impact
This vulnerability (CVE-2026-7761) exists in Ultimate Member plugin versions 2.11.4 and earlier. It allows an unauthenticated attacker to create a malicious post with specially crafted meta-fields via XML-RPC, thereby extracting password reset URLs for all users, including administrators. Specifically, it is attributed to a combination of factors: the MD5 hash fallback processing in the <code>get_directory_by_hash()</code> function, improper parsing of <code>strstr()</code> in the <code>post_data()</code> function, and a lack of field name validation in the <code>build_user_card_data()</code> function, which collectively allow arbitrary fields such as <code>password_reset_link</code> to be processed.
Specific Impact and Attack Scenarios
If this vulnerability is exploited, an attacker, acting as an authenticated user with Contributor-level privileges or higher, can use the XML-RPC feature to create a malicious post. Through specially crafted meta-fields embedded in this post, they can illicitly obtain password reset links for other users, including administrators. This allows the attacker to reset the password of the target user's account and potentially take over the account. Consequently, various malicious activities such as website defacement, information theft, and spamming could occur. The risk of attack is particularly high in environments where XML-RPC is enabled.
Immediate Countermeasures for Engineers
The most crucial countermeasure for this vulnerability is to immediately update the Ultimate Member plugin to the patched version 2.12.0 or higher. Additionally, if you do not require WordPress's XML-RPC functionality, it is strongly recommended to disable XML-RPC as part of your security hardening efforts. Below is an example of Nginx configuration to block access to XML-RPC.
location ~* /xmlrpc.php$ {
deny all;
access_log off;
log_not_found off;
return 403;
}The above configuration blocks all access to <code>xmlrpc.php</code>, thereby cutting off one of the paths for vulnerability exploitation. Furthermore, if you have a Web Application Firewall (WAF) in place, it is important to confirm that rules blocking relevant attack patterns are applied. Do not neglect regular backups and monitoring for suspicious logs.
📦