Description
The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.
Published: 2026-06-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ARMember Premium plugin stores the password reset key in plaintext in the user meta field arm_reset_password_key. This key can be combined with the plugin's custom armrp reset action to set a new password for any user. When coupled with other flaws such as SQL injection, an unauthenticated attacker can extract this key and reset the password for any account, including administrators.

Affected Systems

The vulnerability affects the ARMember Premium WordPress plugin, versions up to and including 7.3.1. All installations of the plugin within that version range are subject to the insecure reset mechanism.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, yet the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending a password reset request and retrieving the plaintext key, then invoking the armrp action to change the password. Because the reset key is visible in user meta, unauthenticated users can obtain it without needing to authenticate. This offers straightforward privilege escalation to any role.

Generated by OpenCVE AI on June 3, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch for ARMember Premium to eliminate the insecure reset key.
  • Check for and address any additional vulnerabilities such as CVE-2026-5073 and CVE-2026-5074.
  • If a patch is not immediately available, disable the ARMember password reset functionality or delete the arm_reset_password_key metadata to prevent misuse.

Generated by OpenCVE AI on June 3, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Armember
Armember armember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User Signup
Wordpress
Wordpress wordpress
Vendors & Products Armember
Armember armember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User Signup
Wordpress
Wordpress wordpress

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.
Title ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Armember Armember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User Signup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-02T20:56:08.662Z

Reserved: 2026-03-28T13:25:02.784Z

Link: CVE-2026-5076

cve-icon Vulnrichment

Updated: 2026-06-02T20:56:03.448Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T20:16:40.720

Modified: 2026-06-02T20:56:20.057

Link: CVE-2026-5076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:55:14Z

Weaknesses