cbcvebase.
CVE-2026-5073
published 2026-06-02

CVE-2026-5073: The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.38%
68.7th percentile
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=arm_directory_paging_action&pagination=infinite&id=1&type=directory&orderby=display_name,IF(1=1,SLEEP(6),0)&order=ASC&per_page=10&current_page=1&arm_wp_nonce={{nonce}}
otherarm_wp_nonce
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the 'action' parameter set to 'arm_directory_paging_action' and SQL time-based blind injection payloads (e.g., SLEEP, IF) in the 'orderby' parameter.
  • A time-based blind SQLi detection threshold of >=6 seconds response duration is used in the PoC; monitor for anomalously slow responses to this AJAX endpoint.
  • The exploit is unauthenticated — no session cookie or authentication header is required. Any POST to admin-ajax.php with action=arm_directory_paging_action from an unauthenticated source should be treated as suspicious.
  • The nonce value 'arm_wp_nonce' is extracted from the page prior to exploitation (regex: `]*value='([a-f0-9]+)'`); monitor for reconnaissance GET requests harvesting this nonce before a subsequent SQLi POST.
  • Confirm exploitation by checking that the response body contains 'arm_directory_paging_container', which the PoC uses as a positive indicator of a successful injected query response.
  • ·All versions of ARMember Premium up to and including 7.3.1 are vulnerable; ensure the plugin version is checked when scoping detection rules.
  • ·The injection point is the 'order' and 'orderby' parameters of the arm_directory_paging_action AJAX action, specifically within the arm_get_directory_members() function — WAF rules should target both parameters.
  • ·The PoC uses a 15-second HTTP timeout to accommodate the SLEEP(6) payload; network-level detection using response-time anomalies should use a threshold of ≥6 seconds for this endpoint.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.