CVE-2026-5074: ARMember Premium SQL Injection in User Private Content Addon
ARMember Premium, a WordPress plugin, contains a SQL Injection vulnerability in its AJAX handler that processes user-supplied sort parameters without proper validation. An authenticated user with basic Subscriber privileges or higher can craft malicious input to extract sensitive data from the site's database. The vulnerability only impacts sites that have explicitly enabled the optional 'User Private Content' addon, which is disabled by default, limiting the blast radius.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into the ORDER BY clause of an SQL query without a whitelist check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if the "User Private Content" addon is enabled, which is disabled by default..
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-5074 is a SQL Injection flaw (CWE-89) in ARMember Premium up to version 7.3.1. The `get_private_content_data` AJAX action accepts the 'sSortDir_0' parameter and concatenates it directly into an ORDER BY clause without sanitization or whitelist validation. Because the parameter is user-controllable and not restricted to safe values (e.g., ASC/DESC), authenticated attackers can inject arbitrary SQL to modify query logic and exfiltrate data. Authentication is required—the vulnerability does not affect unauthenticated visitors—but the threshold is low (Subscriber role). The attack vector is network-based with no user interaction required.
Business impact
Compromise of sensitive database contents poses significant risk to site operators and their users. Attackers could extract customer records, email addresses, payment information, or other private content stored in the database. Data breaches trigger regulatory obligations (GDPR, CCPA, etc.), harm user trust, and may incur compliance penalties. The conditional nature of the vulnerability (addon must be enabled) means impact is limited to deployments with the User Private Content feature active, but any affected site faces high-stakes data loss.
Affected systems
WordPress sites running ARMember Premium plugin versions up to and including 7.3.1, with the 'User Private Content' addon enabled. Sites with the addon disabled are not affected. Any user role from Subscriber upward can trigger the attack, making the exploitation pool potentially large on multiuser or membership-based WordPress installations.
Exploitability
Exploitation requires valid authentication credentials—the attacker must have at least Subscriber-level access. No complex attack chain is needed once authentication is established; the malicious parameter can be supplied to the vulnerable AJAX endpoint directly. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, so no widespread active exploitation has been documented at this time. However, the simplicity of the attack and the low authentication barrier mean exploitation is straightforward for insiders or account-compromise scenarios.
Remediation
Upgrade ARMember Premium to a patched version released after 7.3.1 (verify against the vendor advisory for the exact version number). Until patching is possible, disable the 'User Private Content' addon if it is not essential to your operations, which will prevent the vulnerable code path from being reached. Additionally, restrict Subscriber-level user creation and audit existing accounts for suspicious activity.
Patch guidance
Consult the official ARMember Premium plugin repository and vendor security advisories to confirm the availability and version number of a patched release. Given the publication date of June 2026, patches may be released as out-of-band updates or in the next scheduled release cycle. Test patches in a staging environment before rolling out to production. If your deployment uses automated plugin updates, ensure the mechanism will pull in the security fix without breaking dependencies.
Detection guidance
Monitor web server logs and database query logs for unusual patterns in requests to the `/wp-admin/admin-ajax.php?action=get_private_content_data` endpoint, especially from authenticated low-privilege accounts. Watch for AJAX requests containing SQL keywords (UNION, SELECT, WHERE, etc.) in the 'sSortDir_0' parameter. Database audit logs should flag unexpected or malformed ORDER BY clauses that deviate from simple ASC/DESC values. Consider enabling WordPress security plugins with SQL injection detection to flag such requests in real time.
Why prioritize this
Although the CVSS score is MEDIUM (6.5), prioritization should reflect the authentication requirement and conditional addon enablement. The vulnerability is lower-urgency than unauthenticated remote code execution but warrants near-term attention due to the high confidentiality impact (database extraction) and low exploitation friction among insiders or compromised accounts. Organizations with multiuser WordPress installations, active Subscriber-level user bases, or customer data should patch sooner; single-administrator sites with the addon disabled can defer.
Risk score, explained
The CVSS:3.1 score of 6.5 (MEDIUM) reflects: Network-based attack vector, low attack complexity, and low privilege requirements offset by the need for prior authentication. High confidentiality impact (C:H) captures the database extraction risk, but integrity and availability are not affected (I:N, A:N). The conditional nature of the vulnerability (addon must be enabled) and the lack of active exploitation reduce practical severity, keeping the score in the MEDIUM band. Organizational risk may differ based on the presence of the addon, the number of Subscriber accounts, and the sensitivity of stored data.
Frequently asked questions
Do I need to patch if the User Private Content addon is disabled?
No. The vulnerable code is only reachable if the addon is explicitly enabled. If it is disabled by default in your deployment, you are not affected. However, verify your plugin configuration to confirm the addon is indeed off, and consider patching anyway as part of routine maintenance.
Can a user with just Subscriber access really extract my entire database?
Only data accessible through the vulnerable AJAX action and its underlying database query. A Subscriber-level attacker cannot extract arbitrary data from unrelated tables, but they can potentially extract sensitive information from the private content table and potentially pivot to other data depending on database permissions and query structure. Test your specific setup to understand the exposure.
Is there a workaround if I cannot patch immediately?
Yes. Disable the 'User Private Content' addon in ARMember settings until a patch is available. This prevents the vulnerable endpoint from being active. You may also implement Web Application Firewall (WAF) rules to block requests containing SQL keywords in the 'sSortDir_0' parameter, but this is a temporary measure and not a substitute for patching.
How do I know if this vulnerability was exploited against my site?
Review access logs for requests to `/wp-admin/admin-ajax.php?action=get_private_content_data` from low-privilege user accounts, especially if those requests contain unusual characters or SQL syntax. Check database transaction logs for abnormal queries from your application user account around the time of the attack. Consider running a database integrity check and reviewing user account creation dates and access patterns.
This analysis is based on publicly available vulnerability data and vendor disclosures as of the publication date. SEC.co makes no warranty regarding the completeness, accuracy, or applicability of this information to your specific environment. Always verify patch availability and compatibility with your WordPress setup before deploying updates. Test patches in a non-production environment first. Consult the official ARMember vendor advisories and your security team for guidance tailored to your organization's risk profile and technical architecture. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-0075MEDIUMAndroid SQL Injection in Contacts Database – Privilege Escalation Risk
- CVE-2026-10039MEDIUMFrontend Admin WordPress Plugin SQL Injection Vulnerability
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10176MEDIUMSQL Injection in Aider-AI Aider 0.86.3 Code Generation
- CVE-2026-10193MEDIUMSQL Injection in OFCMS ComnController – Authentication Required
- CVE-2026-10202MEDIUMOFCMS 1.1.3 SQL Injection in SystemDictController