How is CVE-2026-5073 exploited?

Network reachability (required): The vulnerable AJAX endpoint is exposed over the network, so an attacker must be able to reach the WordPress site's HTTP interface to send the malicious request. Authentication (not-required): The 'arm_directory_paging_action' AJAX action accepts unauthenticated requests, so no account or session token is needed to trigger the injection. Victim interaction (not-required): The attacker sends the crafted request directly to the server; no user action or social engineering is required. Attack complexity (info): Attack complexity is low, meaning the injection is reliable and straightforward with no race conditions or special environmental conditions required to exploit.

What is the impact of CVE-2026-5073?

Reads arbitrary rows from the WordPress database, including hashed passwords, email addresses, and user role assignments stored in wp_users and wp_usermeta. Extracts membership-level records, subscription details, and any custom member profile fields stored by ARMember Premium. Retrieves WordPress option values from wp_options, which may include secret keys, API tokens, and plugin configuration secrets stored in plaintext. Provides a foundation for follow-on attacks such as account takeover by cracking or reusing extracted credential hashes.

Back to search

HIGHCVE-2026-5073Published 2026-06-02Modified 2026-06-02CNA Wordfence

CVE-2026-5073: ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter

Q: What is CVE-2026-5073?

This is a SQL injection vulnerability in the ARMember Premium plugin for WordPress, affecting all versions up to and including 7.3.1. The vulnerable endpoint is reachable over the network with no authentication required: an attacker sends a crafted 'order' or 'orderby' parameter to the 'arm_directory_paging_action' AJAX action, which the plugin passes unsanitized into a raw SQL query. Successful exploitation allows the attacker to extract sensitive data from the WordPress database, including user records, credentials, and membership details. No fix has been published as of the CVE record date; HarborGuard is tracking the advisory and will make a patched rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-5073 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild triggers an automatic regression run and a PR opened against affected workloads without requiring manual intervention.

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a SQL injection vulnerability in the ARMember Premium plugin for WordPress, affecting all versions up to and including 7.3.1. The vulnerable endpoint is reachable over the network with no authentication required: an attacker sends a crafted 'order' or 'orderby' parameter to the 'arm_directory_paging_action' AJAX action, which the plugin passes unsanitized into a raw SQL query. Successful exploitation allows the attacker to extract sensitive data from the WordPress database, including user records, credentials, and membership details. No fix has been published as of the CVE record date; HarborGuard is tracking the advisory and will make a patched rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-5073 is available across every HarborGuard environment. Ingestion from upstream advisory feeds, including Wordfence and NVD, occurs within minutes of publication, and matching against customer images, including custom WordPress-based images bundling ARMember Premium, is performed automatically across all registered registries and CI pipelines.

Available

Triage

Triage capability is available with the CVSS 3.1 score of 7.5 (HIGH) applied automatically to any matched image. Per-environment compliance policy weighting can escalate or suppress the finding, and routing rules direct the alert to the appropriate team inbox within each customer organization.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild triggers an automatic regression run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable AJAX endpoint is exposed over the network, so an attacker must be able to reach the WordPress site's HTTP interface to send the malicious request.
AuthenticationNot required
The 'arm_directory_paging_action' AJAX action accepts unauthenticated requests, so no account or session token is needed to trigger the injection.
Victim interactionNot required
The attacker sends the crafted request directly to the server; no user action or social engineering is required.
Attack complexityDetail
Attack complexity is low, meaning the injection is reliable and straightforward with no race conditions or special environmental conditions required to exploit.

Blast Radius

Reads arbitrary rows from the WordPress database, including hashed passwords, email addresses, and user role assignments stored in wp_users and wp_usermeta.
Extracts membership-level records, subscription details, and any custom member profile fields stored by ARMember Premium.
Retrieves WordPress option values from wp_options, which may include secret keys, API tokens, and plugin configuration secrets stored in plaintext.
Provides a foundation for follow-on attacks such as account takeover by cracking or reusing extracted credential hashes.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-5073 is active and matches any image found to include ARMember Premium at or below version 7.3.1. Because no upstream patch exists yet, the recommended immediate controls are network-policy isolation of the WordPress container to restrict public AJAX endpoint exposure, egress filtering to limit database reachability from externally accessible containers, and WAF rule deployment targeting unsanitized ORDER BY injection patterns in AJAX request parameters. HarborGuard re-evaluates the advisory every ingest cycle; when Wordfence or the plugin author publishes a fix, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, the rebuild is followed by a regression-test run and a PR opened against affected workloads, with median time from CVE patch publication to merged PR for high-severity issues around 90 minutes.

See how HarborGuard automates this

Affected packages

armember / ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
≤ 7.3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Metrics

Get notified