Description
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-02
Score: 7.5 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ARMember Premium WordPress plugin contains an unauthenticated SQL injection flaw in the 'order' parameter of the 'arm_directory_paging_action' AJAX action. Because the plugin does not escape user-supplied input and omits prepared statements in the arm_get_directory_members function, an attacker can inject arbitrary SQL commands. This flaw enables extraction of sensitive data such as user credentials and membership information from the database.

Affected Systems

The vulnerability applies to all releases of the ARMember Premium Membership Plugin for WordPress up to and including version 7.3.1. WordPress sites that use this plugin and enable the directory paging AJAX handler are potentially exposed. The exposed parameters are 'order' and 'orderby', which can be manipulated without authentication.

Risk and Exploitability

The CVSS score of 7.5 signals a high impact risk. The EPSS score of 1% indicates a low likelihood of exploitation. The issue is not listed in the CISA KEV catalog, but the lack of authentication requirement and the network‑exposed AJAX endpoint make exploitation possible if the plugin remains vulnerable. An attacker can craft a request and append SQL to the 'order' parameter to read or manipulate database contents remotely.

Generated by OpenCVE AI on June 18, 2026 at 07:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ARMember Premium plugin to the latest available version, which is expected to contain the fix for this SQL injection vulnerability.
  • If an upgrade is not feasible, modify the plugin code to sanitize the 'order' and 'orderby' parameters or replace the vulnerable query with a prepared statement inside the arm_get_directory_members function.
  • To provide short-term protection, block or restrict anonymous access to the wp-admin/admin-ajax.php?action=arm_directory_paging_action endpoint using a WordPress hook or a firewall rule that allows only authenticated users.

Generated by OpenCVE AI on June 18, 2026 at 07:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Armember
Armember armember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User Signup
Wordpress
Wordpress wordpress
Vendors & Products Armember
Armember armember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User Signup
Wordpress
Wordpress wordpress

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Armember Armember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User Signup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-02T20:55:39.866Z

Reserved: 2026-03-28T12:54:39.162Z

Link: CVE-2026-5073

cve-icon Vulnrichment

Updated: 2026-06-02T20:55:35.098Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T20:16:40.467

Modified: 2026-06-02T20:56:20.057

Link: CVE-2026-5073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')