The ARMember – Membership Plugin for WordPress contains a time‑based blind SQL injection that allows unauthenticated actors to inject arbitrary SQL statements via the 'orderby' parameter. The flaw is caused by insufficient escaping of user‑supplied data and the lack of prepared statements in the query construction. By exploiting this vulnerability, an attacker can retrieve confidential database contents without authentication, potentially exposing user credentials, membership details, and other sensitive information.

WordPress sites running ARMember versions 4.0.60 or earlier, including any deployment of the plugin product by Repute Infosystems. The attack occurs when the plugin’s directory or shortcode rendering functions receive an 'orderby' parameter in the HTTP request, and no input validation is performed before it is used in an SQL query.

The vulnerability has a CVSS score of 7.5, indicating high impact. The EPSS score is not available, so the likelihood of exploitation is unknown, but the flaw is publicly documented and no mitigations are offered by the vendor. The attack likely requires HTTP access to the WordPress front‑end or plugin‑specific URLs that expose the 'orderby' parameter. An attacker can craft a request with a crafted 'orderby' value, such as "order by 1--", to trigger a time delay or flood the database, indicating that the injection succeeds and can be used to extract data. The risk is further amplified by the lack of authentication requirements, meaning any external visitor can exploit it.