Security · June 24, 2026 · 2 min read

Update Ultimate Member Now: Attackers Can Hijack Admin Accounts

Ultimate Member 2.11.4 and earlier lets contributor-level attackers reset admin passwords. Update to version 2.12.0 now.

Reading

WPWithin

Wordfence says a high-severity flaw in Ultimate Member lets contributor-level attackers take over administrator accounts. If you run version 2.11.4 or earlier, update to 2.12.0 now.

What happened

The bug exposes live password reset links for other users. A password reset link is effectively a temporary login key, so exposing it can hand control of the account to someone else.

In this case, an attacker with contributor access can place a malicious template tag in content and wait for an administrator to preview it. That preview can generate the admin’s reset link and leak it to the attacker, who can then change the password and lock the admin out.

Who is at risk

The risk applies to sites running Ultimate Member 2.11.4 or earlier. It matters most on membership, community, and directory sites because those sites often give many users contributor-level access.

Contributor-level means a logged-in user can write or manage their own posts. If your site never gives that kind of access, your immediate exposure is lower, but you should still patch.

What to do

Update Ultimate Member to version 2.12.0 or later immediately. After updating, review your list of active users and look for accounts that were recently created, recently elevated in privilege, or that you do not recognize.

End of article

Weekend Within · Free

If you found this useful, subscribe free.

The Weekend Within roundup ships every weekend. Six minutes. The WordPress news that matters, translated out of developer-speak. Unsubscribe any time.

↓ Read next

Avada Builder has a critical file deletion flaw

Security · 2 min