Skip to main content

ARMember Premium EUVDEUVD-2026-34003

| CVE-2026-5076 CRITICAL
Improper Authentication (CWE-287)
2026-06-02 Wordfence GHSA-53mc-7vx2-cm58
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 02, 2026 - 20:20 vuln.today
CVE Published
Jun 02, 2026 - 18:30 nvd
CRITICAL 9.8

DescriptionCVE.org

The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the arm_reset_password_key user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in wp_users.user_activation_key. The plaintext key stored in wp_usermeta can be used with the plugin's custom armrp reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.

AnalysisAI

Account takeover in the ARMember Premium WordPress plugin through version 7.3.1 stems from the plugin storing a plaintext password reset key in the arm_reset_password_key user meta field alongside WordPress core's properly hashed token. When chained with the companion SQL injection issues CVE-2026-5073/5074, an unauthenticated attacker can extract the plaintext key and invoke the plugin's armrp reset action to set a new password for any user, including administrators. No public exploit identified at time of analysis, though the chain is described in detail by Wordfence and the CVSS 9.8 rating reflects unauthenticated remote compromise.

Technical ContextAI

ARMember Premium is a commercial membership/content-restriction plugin for WordPress (cpe:2.3:a:armember:armember_premium...). The underlying defect is a CWE-287 Improper Authentication flaw rooted in a parallel, plugin-specific password-reset flow: WordPress core hashes the reset nonce into wp_users.user_activation_key, but the plugin additionally persists the cleartext nonce into wp_usermeta under arm_reset_password_key. The plugin's custom armrp action then validates against that plaintext copy, bypassing the cryptographic property that makes the core reset workflow safe even if the database is partially read. Anywhere the wp_usermeta table can be read - directly or via a SQLi primitive - the entire reset workflow collapses into a credential-equivalent secret stored at rest.

RemediationAI

Upgrade ARMember Premium to a version later than 7.3.1 once the vendor publishes a fix; the provided data does not name a specific fixed release, so the patch status is best characterized as patch availability not independently confirmed from the supplied references - consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/6b15eca5-fd47-4f8f-8ade-3a90e0bfc110) and the CodeCanyon product page for the latest build. Until a patched build is installed, remediate the chained SQL injection issues CVE-2026-5073 and CVE-2026-5074 (which are the practical extraction vector), restrict access to the plugin's armrp reset endpoint via a WAF rule, and as a stronger compensating control consider disabling the plugin's custom password reset workflow and forcing users through WordPress core's reset flow - the trade-off is that membership-flow customizations tied to armrp will stop working. As a database-hygiene step, audit and purge stale arm_reset_password_key values from wp_usermeta after patching so any previously leaked plaintext keys cannot be replayed.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-34003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy