Armember Premium
Monthly
Authenticated PHP object injection in the ARMember Premium WordPress membership plugin (all versions through 7.0) lets low-privileged Contributor-level users pass attacker-controlled serialized data into a PHP unserialize() sink, potentially chaining with POP gadgets to achieve high-impact compromise. With a CVSS of 8.8 and network vector, a user holding only a Contributor account can reach confidentiality, integrity, and availability impacts. No public exploit has been identified at time of analysis and it is not on CISA KEV, but the vulnerability class is well understood and reliably weaponizable where a suitable gadget chain exists.
Authenticated PHP object injection in the ARMember Premium WordPress membership plugin (all versions through 7.0) lets low-privileged Contributor-level users pass attacker-controlled serialized data into a PHP unserialize() sink, potentially chaining with POP gadgets to achieve high-impact compromise. With a CVSS of 8.8 and network vector, a user holding only a Contributor account can reach confidentiality, integrity, and availability impacts. No public exploit has been identified at time of analysis and it is not on CISA KEV, but the vulnerability class is well understood and reliably weaponizable where a suitable gadget chain exists.