Impact
This vulnerability is a PHP Object Injection (CWE‑502) located in the WordPress ARMember Premium plugin up to and including version 7.0. The flaw allows an attacker to inject serialized PHP objects through contributor‑level input, potentially enabling arbitrary code execution on the hosting server. Successful exploitation would compromise the confidentiality, integrity, and availability of the WordPress installation, and could result in a full system takeover.
Affected Systems
The affected product is Reputeinfosystems ARMember Premium plugin for WordPress. Versions up to 7.0 are vulnerable; no specific sub‑versions are listed. All WordPress sites that install this plugin version are at risk.
Risk and Exploitability
The CVSS base score is 8.8, indicating high severity. EPSS data is not available, so the current exploitation probability cannot be quantified, and the vulnerability is not listed in CISA KEV. Although the CVE entry does not specify the required privileges, the description references contributions; the likely attack surface is the contributor interface, so an authenticated contributor or a privileged user would be required. Once the attacker supplies a crafted payload, the plugin’s deserialization routine may execute arbitrary code, giving the attacker full control.
OpenCVE Enrichment