Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The ARMember - Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.0.60 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
Time-based blind SQL injection in ARMember WordPress plugin versions up to 4.0.60 allows unauthenticated remote attackers to extract sensitive database information via the 'orderby' parameter. The vulnerability stems from insufficient input sanitization in the members directory and shortcode handling classes, enabling attackers to append malicious SQL queries without authentication (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). EPSS data and active exploitation status not available at time of analysis, but the lack of authentication requirements and low attack complexity make this a high-priority remediation target for WordPress sites using ARMember for membership management or content restriction.
Technical ContextAI
This vulnerability affects the ARMember WordPress plugin (CPE: cpe:2.3:a:reputeinfosystems:armember_-_membership_plugin), specifically in the class.arm_members_directory.php and class.arm_shortcodes.php files. The flaw is classified as CWE-89 (SQL Injection), occurring when user-supplied input to the 'orderby' parameter is not properly escaped or parameterized before being incorporated into SQL queries. Time-based blind SQL injection allows attackers to infer database contents by measuring response times to specially crafted queries containing conditional delays (e.g., using SQL SLEEP or WAITFOR functions). The vulnerable code exists in both the member directory listing functionality (line 1019 of class.arm_members_directory.php) and shortcode processing (lines 36 and 434 of class.arm_shortcodes.php), suggesting multiple attack surfaces within the plugin's member management features. WordPress plugins using direct SQL queries without WordPress's $wpdb->prepare() method are particularly susceptible to this class of vulnerability.
RemediationAI
Immediately update ARMember plugin to the latest version above 4.0.60 from the WordPress plugin repository or vendor website. While the exact patched version number is not independently confirmed in the provided data, updates released after version 4.0.60 should address this SQL injection vulnerability. Site administrators should verify the changelog at https://wordpress.org/plugins/armember-membership/ for security fix confirmation before deploying. If immediate patching is not possible, implement the following compensating controls: (1) Deploy a Web Application Firewall (WAF) with SQL injection detection rules to filter malicious 'orderby' parameter values, noting this may break legitimate sorting functionality in member directories; (2) Restrict access to pages using ARMember shortcodes or member directory features to authenticated users only via WordPress access controls, reducing attack surface but limiting plugin functionality; (3) Enable comprehensive database query logging to detect exploitation attempts, though this adds performance overhead; (4) Consider temporarily deactivating ARMember plugin if membership features are non-critical, which eliminates the attack vector but disables all content restriction and membership management capabilities. After patching, review database logs for suspicious query patterns (unusual SLEEP/WAITFOR commands, extended query times) and conduct a security audit of user data to identify potential unauthorized access.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26762