Ultimate Member WordPress Plugin Sensitive Information Exposure Vulnerability Allowing Account Takeover

A vulnerability allowing sensitive information exposure has been identified in the Ultimate Member plugin for WordPress, affecting all versions through 2.11.2. The issue arises because the '{usermeta:password_reset_link}' template tag is processed within post content via the '[um_loggedin]' shortcode. This generates a valid password reset token for the currently logged-in user. Authenticated attackers with Contributor-level access or higher can create a malicious pending post that, when previewed by an Administrator, generates a password reset token for the Administrator. This token can then be exfiltrated to an attacker-controlled server, leading to full account takeover.

Impact

Exploitation of this vulnerability allows for full account takeover of the Administrator user.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can create a pending post that includes the '[um_loggedin]' shortcode. When this post is previewed by an Administrator, a password reset token will be generated for the Administrator and can be sent to an attacker-controlled server.

Remediation

Users are advised to update the Ultimate Member plugin to version 2.11.3 or a newer patched version.