WordPress Plugin Bug Impacts 200k Sites

A serious security vulnerability has been discovered in the popular Ultimate Member WordPress plugin, potentially affecting up to 200,000 websites.

The flaw could allow attackers to gain control of user accounts by exposing password reset links, creating a pathway to take over accounts, including those with administrator privileges.

What Is Ultimate Member?

Ultimate Member is a widely used WordPress plugin designed to help website owners build membership platforms, online communities and user directories.

The plugin offers features such as user registration, login forms, profile pages and member listings, making it a popular choice for sites that rely on user-generated content and community engagement.

Vulnerability Requires Logged-In Access

Security researchers have classified the issue as an authenticated vulnerability. This means an attacker would first need access to an account with contributor-level permissions or higher before they could attempt to exploit the flaw.

Although this requirement limits the number of potential attackers, successful exploitation could have serious consequences, including complete control over a website.

The vulnerability has been assigned a severity score of 8.8 out of 10, placing it in the high-risk category.

How the Flaw Works

Researchers found that the vulnerability stems from a combination of several weaknesses within the plugin.

The first issue allows attackers to manipulate how the plugin handles member directories, potentially enabling them to redirect functionality towards content they control.

A second flaw makes it possible to bypass certain protections that normally restrict access to sensitive metadata stored within WordPress.

The final weakness involves insufficient validation of fields used when generating member information. This oversight allows attackers to request data that should never be publicly accessible.

When these flaws are combined, they can expose password reset links belonging to registered users.

Why Password Reset Links Are Sensitive

Password reset links are intended to be private and are normally sent directly to users who request access to their accounts.

These links effectively serve as temporary credentials that allow a user to create a new password.

If an attacker gains access to one of these links, they may be able to reset the password and take control of the associated account.

In the case of administrator accounts, this could provide complete access to the website and its settings.

According to security researchers, the flaw makes it possible for attackers with contributor-level access to retrieve active password reset URLs for users listed within member directories, including administrators.

Potential Impact on Website Owners

The vulnerability poses a significant risk because it can lead to full account compromise.

Once administrative access is obtained, attackers could modify website content, install malicious software, create new user accounts or lock legitimate owners out of their sites.

For websites that rely heavily on community features and user registrations, the consequences could be particularly severe.

Security Update Available

The vulnerability affects all versions of Ultimate Member up to and including version 2.11.4.

The plugin developers have released a fix in version 2.12.0, introducing stronger validation checks for member directories and restricting access to sensitive user data.

Website owners using the plugin are strongly encouraged to update to the latest version as soon as possible to protect their sites from potential exploitation.

Staying Protected

Keeping plugins updated remains one of the most important steps WordPress users can take to maintain website security.

Regular updates help address newly discovered vulnerabilities and reduce the risk of attackers exploiting outdated software.

For sites running Ultimate Member, installing version 2.12.0 or later should be considered a priority to ensure the vulnerability is fully patched and user accounts remain secure.