Skip to main content

Armember Premium

1 CVEs product

Monthly

CVE-2026-27060 HIGH This Week

Authenticated PHP object injection in the ARMember Premium WordPress membership plugin (all versions through 7.0) lets low-privileged Contributor-level users pass attacker-controlled serialized data into a PHP unserialize() sink, potentially chaining with POP gadgets to achieve high-impact compromise. With a CVSS of 8.8 and network vector, a user holding only a Contributor account can reach confidentiality, integrity, and availability impacts. No public exploit has been identified at time of analysis and it is not on CISA KEV, but the vulnerability class is well understood and reliably weaponizable where a suitable gadget chain exists.

Deserialization PHP Armember Premium
NVD
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP object injection in the ARMember Premium WordPress membership plugin (all versions through 7.0) lets low-privileged Contributor-level users pass attacker-controlled serialized data into a PHP unserialize() sink, potentially chaining with POP gadgets to achieve high-impact compromise. With a CVSS of 8.8 and network vector, a user holding only a Contributor account can reach confidentiality, integrity, and availability impacts. No public exploit has been identified at time of analysis and it is not on CISA KEV, but the vulnerability class is well understood and reliably weaponizable where a suitable gadget chain exists.

Deserialization PHP Armember Premium
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy