CVE-2026-5073: ARMember Premium SQL Injection Vulnerability – Database Exposure Risk
The ARMember Premium WordPress plugin contains a SQL injection flaw in its directory member listing feature. Attackers can manipulate how results are sorted to inject malicious SQL commands, potentially stealing sensitive data from the WordPress database without needing to log in. The vulnerability affects all versions through 7.3.1.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-5073 is a SQL injection vulnerability in the ARMember Premium plugin's AJAX handler for directory pagination. The vulnerability exists in the `arm_get_directory_members()` function, where the 'order' and 'orderby' parameters passed to the 'arm_directory_paging_action' AJAX action are insufficiently escaped and not properly prepared in parameterized queries. An attacker can craft a request with malicious SQL syntax in these parameters to break out of the intended query context and execute arbitrary SQL. The lack of input validation and prepared statement usage allows UNION-based, time-based blind, or error-based SQL injection techniques to extract data.
Business impact
Organizations running ARMember Premium are exposed to data exfiltration of WordPress database contents, including user records, member profiles, and any sensitive information stored within the database. Compromised data could include credentials, personal information, and payment details if stored unencrypted. The unauthenticated nature of the attack means any Internet-facing WordPress site with the plugin is at risk without additional network controls. Remediation delays increase the window of exposure for database harvesting attacks.
Affected systems
WordPress installations with ARMember Premium plugin installed and activated in versions 7.3.1 and earlier. The AJAX endpoint is exposed to unauthenticated requests, making any public WordPress site with this plugin a potential target regardless of membership status.
Exploitability
Exploitability is high. The attack requires only network access to the WordPress site and knowledge of the AJAX action name and parameter structure—no authentication, user interaction, or complex setup is required. Standard SQL injection fuzzing and automation tools can identify and exploit this vulnerability. The public nature of AJAX endpoints makes reconnaissance trivial.
Remediation
Update ARMember Premium to a patched version released after June 2, 2026—verify the specific version number against the vendor's security advisory. If an update is not immediately available, disable the ARMember Premium plugin or restrict access to the WordPress installation via web application firewall rules blocking requests to 'arm_directory_paging_action' AJAX endpoints. As a temporary measure, implement input validation and WAF rules to reject requests containing SQL syntax characters in 'order' and 'orderby' parameters.
Patch guidance
Check the ARMember Premium vendor security advisory for the patched version number. Apply the update through the WordPress plugin management interface or directly via vendor channels. Test the update in a staging environment before production deployment to ensure compatibility with custom configurations. After patching, verify that directory functionality operates correctly and review access logs for signs of prior exploitation.
Detection guidance
Monitor web server and WAF logs for requests to 'wp-admin/admin-ajax.php' with action parameter 'arm_directory_paging_action' containing suspicious characters such as single quotes, semicolons, SQL keywords (UNION, SELECT, WHERE), or encoded variants (%27, %3B, %55, %4E, %49, %4F, %4E). Set up SIEM alerts for multiple failed SQL injection attempts from the same source. Query WordPress database logs for unusual or high-volume queries initiated during the vulnerability window. Correlate timing with plugin activation dates to identify installations at risk.
Why prioritize this
This vulnerability should be prioritized for immediate patching. The CVSS 7.5 HIGH score reflects the combination of unauthenticated access, low attack complexity, and high confidentiality impact. Publicly disclosed SQL injection flaws in popular WordPress plugins attract active exploitation. Delay in patching creates significant data exfiltration risk, particularly for sites storing payment or personal information. Organizations should treat this as a critical action item.
Risk score, explained
CVSS 3.1 score of 7.5 (HIGH) reflects: AV:N (network-accessible AJAX endpoint), AC:L (straightforward exploitation with standard tools), PR:N (no authentication required), UI:N (no user interaction needed), S:U (impact limited to the affected system), C:H (unrestricted read access to database), I:N (no integrity impact), A:N (no availability impact). The high confidentiality impact and zero barriers to exploitation justify the HIGH severity rating.
Frequently asked questions
How would an attacker discover and exploit this vulnerability?
An attacker would identify a WordPress site running ARMember Premium through plugin detection tools or by observing AJAX requests. They would then send crafted HTTP POST requests to 'wp-admin/admin-ajax.php' with 'action=arm_directory_paging_action' and inject SQL syntax into the 'order' or 'orderby' parameters. Standard SQL injection payloads (UNION SELECT, subqueries, time-delay functions) would extract database structure and data without requiring authentication or user interaction.
What data is most at risk if this vulnerability is exploited?
Any data stored in the WordPress database is potentially at risk, including user accounts and credentials, member profiles, email addresses, WordPress configuration, and any custom data stored by other plugins or the site. If the site integrates payment processing, financial records could be exposed. However, the attacker's access is limited to what the WordPress database user account can read—data encrypted at rest outside the database or in separate systems is not directly affected.
Does this vulnerability require the ARMember directory feature to be actively used?
The vulnerability exists in the directory listing AJAX handler, but exploitation does not depend on the directory being actively browsed by legitimate users. An attacker can directly invoke the vulnerable AJAX endpoint with malicious parameters regardless of whether the directory is public or restricted. The attack is entirely attacker-initiated and does not depend on user interaction.
What if I cannot update immediately?
Implement network-level controls by blocking requests to 'wp-admin/admin-ajax.php?action=arm_directory_paging_action' at your WAF or firewall, or restrict access to WordPress to trusted networks only. Disable the ARMember Premium plugin if it is not essential to operations. Monitor logs closely for exploitation attempts. These are temporary measures—update as soon as a patched version is available.
This analysis is provided for informational purposes and reflects the vulnerability details published as of June 2, 2026. CVSS scores and severity ratings are based on NIST/NVD standards. Organizations must verify patch availability and version numbers directly with the ARMember plugin vendor or official WordPress plugin repository. This assessment does not constitute a guarantee of exploitability in any specific environment. Network and application architecture variations may affect real-world impact. SEC.co recommends testing patches in non-production environments before deployment. Consult your security team and vendor advisories for environment-specific remediation guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access