Description
Contributor PHP Object Injection in ARMember Premium <= 7.0 versions.
Published: 2026-07-02
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a PHP Object Injection (CWE‑502) located in the WordPress ARMember Premium plugin up to and including version 7.0. The flaw allows an attacker to inject serialized PHP objects through contributor‑level input, potentially enabling arbitrary code execution on the hosting server. Successful exploitation would compromise the confidentiality, integrity, and availability of the WordPress installation, and could result in a full system takeover.

Affected Systems

The affected product is Reputeinfosystems ARMember Premium plugin for WordPress. Versions up to 7.0 are vulnerable; no specific sub‑versions are listed. All WordPress sites that install this plugin version are at risk.

Risk and Exploitability

The CVSS base score is 8.8, indicating high severity. EPSS data is not available, so the current exploitation probability cannot be quantified, and the vulnerability is not listed in CISA KEV. Although the CVE entry does not specify the required privileges, the description references contributions; the likely attack surface is the contributor interface, so an authenticated contributor or a privileged user would be required. Once the attacker supplies a crafted payload, the plugin’s deserialization routine may execute arbitrary code, giving the attacker full control.

Generated by OpenCVE AI on July 2, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ARMember Premium plugin to version 7.1 or later, which includes the fix for the PHP Object Injection flaw.
  • If an upgrade cannot be performed immediately, remove or reduce contributor privileges for all users, and disallow untrusted users from interacting with the plugin’s contributor features.
  • Apply access control measures by ensuring that serialized data from user input is never processed without validation, and delete any residual serialized objects from the database.

Generated by OpenCVE AI on July 2, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Contributor PHP Object Injection in ARMember Premium <= 7.0 versions.
Title WordPress ARMember Premium plugin <= 7.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:12:47.329Z

Reserved: 2026-02-17T13:23:42.766Z

Link: CVE-2026-27060

cve-icon Vulnrichment

Updated: 2026-07-02T12:12:42.274Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data