CVE-2026-5073
SQL Injection in ARMember WordPress Plugin
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| reputeinfosystems | armember | to 7.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The ARMember Premium plugin for WordPress has a vulnerability known as SQL Injection in its 'order' parameter of the 'arm_directory_paging_action' AJAX action. This affects all versions up to and including 7.3.1.
The issue arises because the plugin does not properly escape user-supplied 'order' and 'orderby' parameters and does not sufficiently prepare the SQL query in the function arm_get_directory_members().
As a result, unauthenticated attackers can inject additional SQL queries into existing queries, potentially extracting sensitive information from the database.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to perform SQL Injection attacks, which can lead to unauthorized access to sensitive data stored in the database.
Because the attacker can append additional SQL queries, they might extract confidential information without needing any privileges or authentication.
The CVSS score of 7.5 indicates a high severity, meaning the impact on confidentiality is significant, though integrity and availability are not directly affected.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the ARMember Premium plugin to a version later than 7.3.1 where the SQL Injection issue has been fixed.
Additionally, consider restricting access to the affected AJAX action and monitor your systems for any suspicious activity related to SQL injection attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the ARMember Premium plugin allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.
Such unauthorized access to sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized disclosure.
Therefore, exploitation of this vulnerability may result in violations of these standards due to potential data breaches.