ARMember Premium WordPress Plugin Vulnerabilities (CVE-2026-5076, CVE-2026-5073): SQL Injection and Plaintext Password Reset Key Exposure

nick

ARMember Premium WordPress Plugin Vulnerabilities (CVE-2026-5076, CVE-2026-5073): SQL Injection and Plaintext Password Reset Key Exposure

by

Two vulnerabilities in the ARMember Premium WordPress membership plugin, tracked as CVE-2026-5076 and CVE-2026-5073, create a dangerous attack chain enabling full site compromise. CVE-2026-5076 (CVSS 9.8) stores a plaintext copy of password reset keys alongside user accounts — allowing instant account takeover by anyone with database access. CVE-2026-5073 (CVSS 7.5) is an SQL injection vulnerability that provides that database access. Together, they form a complete compromise chain: exploit the SQL injection to read the database, extract plaintext reset keys, and take over any user account including administrators.

What Are the Vulnerabilities?

CVE-2026-5076 — Insecure Password Reset Mechanism (CVSS 9.8): The ARMember Premium plugin stores a plaintext copy of every password reset key in the arm_reset_password_key user meta field whenever a user requests a password reset. WordPress core stores a correctly hashed version of the reset key, but ARMember stores an additional unhashed copy alongside it. Any attacker who gains access to the WordPress database — through SQL injection, a compromised database backup, a misconfigured database endpoint, or any other means — can read the plaintext reset keys for any user who has recently requested a password reset and use them to take over those accounts.

CVE-2026-5073 — SQL Injection (CVSS 7.5): The order and orderby parameters of the arm_directory_paging_action AJAX action are vulnerable to SQL injection due to insufficient escaping of user-supplied input and lack of adequate query preparation. An attacker can inject malicious SQL through these parameters to read arbitrary data from the WordPress database — including user tables, the arm_reset_password_key meta field exploited by CVE-2026-5076, and any other sensitive data stored in the database.

Together, these two vulnerabilities create a complete attack chain: (1) exploit the SQL injection (CVE-2026-5073) to extract database contents, (2) locate the plaintext password reset keys stored by CVE-2026-5076, (3) use those keys to reset passwords and take over targeted accounts — including administrator accounts — and (4) achieve full site compromise. The vulnerabilities are classified as:

  • CVE-2026-5076: CVSS 9.8 Critical | CWE-287 (Improper Authentication)
  • CVE-2026-5073: CVSS 7.5 High | CWE-89 (SQL Injection)

Which Versions Are Affected?

Both vulnerabilities affect ARMember Premium — a commercial WordPress membership and subscription management plugin:

  • ARMember Premium: all versions up to and including 7.3.1

ARMember Premium is used by membership sites, subscription platforms, online course platforms, and community portals to manage user registration, membership levels, payments, and content access control. These sites typically store user data, payment information, and protected content — making database compromise particularly high-impact.

Is It Being Exploited in the Wild?

No large-scale exploitation has been publicly confirmed at the time of writing. However, both vulnerabilities were published on June 2, 2026 and the attack chain is clearly documented. SQL injection vulnerabilities in WordPress plugins are routinely targeted by automated scanning tools within days of disclosure. The presence of a secondary vulnerability (plaintext reset key storage) that magnifies the impact of the SQL injection makes this plugin a particularly attractive target. Membership sites running ARMember Premium should assume that automated exploitation tooling is being developed and deploy patches proactively — do not wait for confirmed exploitation reports.

What Are the Fixes?

The ARMember Premium development team has released a patched version addressing both vulnerabilities. Update ARMember Premium to a version beyond 7.3.1:

  • Log in to your ARMember Premium account or the WordPress admin dashboard
  • Update the ARMember Premium plugin to the latest version (beyond 7.3.1)
  • If the update is not available through the standard WordPress plugin update mechanism (common for commercial plugins), download the latest version from the ARMember website or your purchase account and manually upload it via Plugins > Add New > Upload Plugin

Recommendations

Update ARMember Premium immediately. The dual-vulnerability disclosure — SQL injection enabling database access plus plaintext password reset key exposure — creates a complete compromise chain. Every membership site running ARMember Premium should be patched today. If you cannot update immediately, consider temporarily disabling the plugin until the patch can be applied.

Rotate all user passwords after patching. If your site was running a vulnerable version for any period after June 2, 2026, rotate passwords for all users — particularly administrators and users with elevated privileges. The plaintext reset key storage means that even if no SQL injection exploitation is detected in your logs, a compromised database backup or any other form of database access could have exposed reset keys.

Audit the arm_reset_password_key user meta field. After updating, check the WordPress usermeta table for entries with the arm_reset_password_key meta key. Delete all existing entries to invalidate any plaintext reset keys that may have been stored. WordPress core’s hashed reset keys are handled separately and are not affected — only the ARMember-prefixed meta keys need to be cleaned.

Review database access logs. Check your web server and database access logs for unusual SQL patterns in requests to ARMember AJAX endpoints (typically /wp-admin/admin-ajax.php with the action=arm_directory_paging_action parameter). Any requests with suspicious order or orderby parameter values — particularly those containing SQL keywords or injection patterns — should be investigated as potential exploitation attempts.

Audit for unauthorised account access. Review WordPress login logs and user activity logs for: password resets that the legitimate user does not recall requesting, logins from unrecognised IP addresses or geographic locations, and administrative actions performed outside of normal business hours or by accounts that do not normally perform those actions. Any of these patterns could indicate that a password reset key was used to take over an account.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 3, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!