Search criteria
4 vulnerabilities by armember
CVE-2026-5073 (GCVE-0-2026-5073)
Vulnerability from cvelistv5 – Published: 2026-06-02 18:30 – Updated: 2026-06-02 20:55
VLAI
Title
ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter
Summary
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| armember | ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup |
Affected:
0 , ≤ 7.3.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T20:31:31.033181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T20:55:39.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ARMember Premium \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup",
"vendor": "armember",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ph\u00fa"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the \u0027order\u0027 parameter of the \u0027arm_directory_paging_action\u0027 AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied \u0027order\u0027 and \u0027orderby\u0027 parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:30:47.226Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5f6d2a2-ad3e-4afc-b6fd-745881d85b6b?source=cve"
},
{
"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T18:51:03.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-02T05:30:40.000Z",
"value": "Disclosed"
}
],
"title": "ARMember Premium \u003c= 7.3.1 - Unauthenticated SQL Injection via \u0027order\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5073",
"datePublished": "2026-06-02T18:30:47.226Z",
"dateReserved": "2026-03-28T12:54:39.162Z",
"dateUpdated": "2026-06-02T20:55:39.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5074 (GCVE-0-2026-5074)
Vulnerability from cvelistv5 – Published: 2026-06-02 18:30 – Updated: 2026-06-02 20:55
VLAI
Title
ARMember Premium <= 7.3.1 - Authenticated (Subscriber+) SQL Injection via 'sSortDir_0' Parameter
Summary
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into the ORDER BY clause of an SQL query without a whitelist check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if the "User Private Content" addon is enabled, which is disabled by default..
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| armember | ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup |
Affected:
0 , ≤ 7.3.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T20:31:38.697778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T20:55:53.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ARMember Premium \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup",
"vendor": "armember",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ph\u00fa"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the \u0027sSortDir_0\u0027 parameter of the `get_private_content_data` AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into the ORDER BY clause of an SQL query without a whitelist check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if the \"User Private Content\" addon is enabled, which is disabled by default.."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:30:46.862Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/76664f7a-b27d-4f2c-9314-92f4515c359f?source=cve"
},
{
"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T18:51:02.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-02T05:30:43.000Z",
"value": "Disclosed"
}
],
"title": "ARMember Premium \u003c= 7.3.1 - Authenticated (Subscriber+) SQL Injection via \u0027sSortDir_0\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5074",
"datePublished": "2026-06-02T18:30:46.862Z",
"dateReserved": "2026-03-28T13:02:46.318Z",
"dateUpdated": "2026-06-02T20:55:53.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5076 (GCVE-0-2026-5076)
Vulnerability from cvelistv5 – Published: 2026-06-02 18:30 – Updated: 2026-06-02 20:56
VLAI
Title
ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation
Summary
The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| armember | ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup |
Affected:
0 , ≤ 7.3.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T20:31:48.636699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T20:56:08.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ARMember Premium \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup",
"vendor": "armember",
"versions": [
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ph\u00fa"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin\u0027s custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:30:46.269Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b15eca5-fd47-4f8f-8ade-3a90e0bfc110?source=cve"
},
{
"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T18:51:02.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-02T05:30:45.000Z",
"value": "Disclosed"
}
],
"title": "ARMember Premium \u003c= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5076",
"datePublished": "2026-06-02T18:30:46.269Z",
"dateReserved": "2026-03-28T13:25:02.784Z",
"dateUpdated": "2026-06-02T20:56:08.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5596 (GCVE-0-2024-5596)
Vulnerability from cvelistv5 – Published: 2024-06-22 05:47 – Updated: 2026-04-08 16:47
VLAI
Title
ARMember Premium <= 6.7 - Cross-Site Request Forgery via multiple functions
Summary
The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| armember | ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup |
Affected:
0 , ≤ 6.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T18:16:14.740709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T19:02:22.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:18:06.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ARMember Premium \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup",
"vendor": "armember",
"versions": [
{
"lessThanOrEqual": "6.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:47:51.555Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e55591e-c1e9-4667-b04f-4956d2f37d51?source=cve"
},
{
"url": "https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-03T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-06-03T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-21T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "ARMember Premium \u003c= 6.7 - Cross-Site Request Forgery via multiple functions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5596",
"datePublished": "2024-06-22T05:47:55.999Z",
"dateReserved": "2024-06-03T12:57:51.027Z",
"dateUpdated": "2026-04-08T16:47:51.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}