Skip to main content

ARMember WordPress Plugin EUVDEUVD-2026-26762

| CVE-2026-7649 HIGH
SQL Injection (CWE-89)
2026-05-02 Wordfence
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 02, 2026 - 08:00 vuln.today
EUVD ID Assigned
May 02, 2026 - 07:30 euvd
EUVD-2026-26762
Analysis Generated
May 02, 2026 - 07:30 vuln.today
CVE Published
May 02, 2026 - 06:44 nvd
HIGH 7.5

DescriptionCVE.org

The ARMember - Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.0.60 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

Time-based blind SQL injection in ARMember WordPress plugin versions up to 4.0.60 allows unauthenticated remote attackers to extract sensitive database information via the 'orderby' parameter. The vulnerability stems from insufficient input sanitization in the members directory and shortcode handling classes, enabling attackers to append malicious SQL queries without authentication (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). EPSS data and active exploitation status not available at time of analysis, but the lack of authentication requirements and low attack complexity make this a high-priority remediation target for WordPress sites using ARMember for membership management or content restriction.

Technical ContextAI

This vulnerability affects the ARMember WordPress plugin (CPE: cpe:2.3:a:reputeinfosystems:armember_-_membership_plugin), specifically in the class.arm_members_directory.php and class.arm_shortcodes.php files. The flaw is classified as CWE-89 (SQL Injection), occurring when user-supplied input to the 'orderby' parameter is not properly escaped or parameterized before being incorporated into SQL queries. Time-based blind SQL injection allows attackers to infer database contents by measuring response times to specially crafted queries containing conditional delays (e.g., using SQL SLEEP or WAITFOR functions). The vulnerable code exists in both the member directory listing functionality (line 1019 of class.arm_members_directory.php) and shortcode processing (lines 36 and 434 of class.arm_shortcodes.php), suggesting multiple attack surfaces within the plugin's member management features. WordPress plugins using direct SQL queries without WordPress's $wpdb->prepare() method are particularly susceptible to this class of vulnerability.

RemediationAI

Immediately update ARMember plugin to the latest version above 4.0.60 from the WordPress plugin repository or vendor website. While the exact patched version number is not independently confirmed in the provided data, updates released after version 4.0.60 should address this SQL injection vulnerability. Site administrators should verify the changelog at https://wordpress.org/plugins/armember-membership/ for security fix confirmation before deploying. If immediate patching is not possible, implement the following compensating controls: (1) Deploy a Web Application Firewall (WAF) with SQL injection detection rules to filter malicious 'orderby' parameter values, noting this may break legitimate sorting functionality in member directories; (2) Restrict access to pages using ARMember shortcodes or member directory features to authenticated users only via WordPress access controls, reducing attack surface but limiting plugin functionality; (3) Enable comprehensive database query logging to detect exploitation attempts, though this adds performance overhead; (4) Consider temporarily deactivating ARMember plugin if membership features are non-critical, which eliminates the attack vector but disables all content restriction and membership management capabilities. After patching, review database logs for suspicious query patterns (unusual SLEEP/WAITFOR commands, extended query times) and conduct a security audit of user data to identify potential unauthorized access.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-26762 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy