CVE-2026-7761 is a high-severity vulnerability in the Ultimate Member WordPress plugin (up to and including version 2.11.4) that enables account takeover via password reset link disclosure. The issue arises from three chained logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be treated as a member directory by computing a substring of the MD5 hash of the post ID; (2) a strstr() parsing flaw in post_data() that bypasses WordPress's protected meta key restrictions by allowing '_um_' to appear anywhere in the meta key name; and (3) missing validation of field names in build_user_card_data(), permitting arbitrary field names such as 'password_reset_link' to be passed to um_filtered_value(). Exploiting these flaws, an attacker with Contributor-level privileges can create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to direct the member directory AJAX handler to this post, inject 'password_reset_link' into the tagline_fields configuration, and thereby leak live password reset URLs for all users in the member directory response, including administrators.

An attacker with Contributor-level access or higher can disclose live password reset URLs for all users, including administrators, potentially leading to account takeover. This compromises confidentiality, integrity, and availability of user accounts within the affected WordPress site.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access and monitor for suspicious XMLRPC activity. Avoid exposing member directory AJAX endpoints to untrusted users. Follow vendor updates closely for an official patch or temporary mitigations.