How is CVE-2026-5076 exploited?

Network reachability (required): The attacker must be able to reach the WordPress site over the network; the vulnerable reset endpoint is exposed via standard HTTP/HTTPS. Authentication (not-required): No account or credentials are needed; the full attack chain is executable by an anonymous network request. Victim interaction (not-required): No user action is required; the attacker only needs a password reset request to have been initiated for a target account, which can be triggered by the attacker themselves. Attack complexity (info): The exploit is reliable and condition-free once the plaintext reset key is extracted via a companion SQL injection vulnerability; no race conditions or special memory layout is required.

What is the impact of CVE-2026-5076?

Attacker sets a new password for any WordPress user account, including site administrators, and authenticates as that user. Attacker reads all stored content, private member data, payment records, and session material accessible to the hijacked account. Attacker modifies site configuration, installs or removes plugins, alters published content, and changes user roles or permissions. Attacker can create persistent backdoor accounts or exfiltrate the entire WordPress database through the privileged session.

Back to search

CRITICALCVE-2026-5076Published 2026-06-02Modified 2026-06-02CNA Wordfence

CVE-2026-5076: ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation

Q: What is CVE-2026-5076?

An insecure password reset mechanism in ARMember Premium, a WordPress membership plugin, allows unauthenticated attackers to take over any user account including administrators. The plugin stores a plaintext copy of the password reset key in the wp_usermeta database table, which can be extracted by chaining this flaw with related SQL injection vulnerabilities (CVE-2026-5073, CVE-2026-5074) and then used with the plugin's custom reset action to set an arbitrary new password. Successful exploitation gives the attacker full control over the targeted account, including read, write, and administrative access to the WordPress site. No fix has been published; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-5076 patched?

Because no fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. Customers with auto-remediation enabled will automatically receive a rebuild, regression-test run, and a PR opened against affected workloads once a fix version becomes available.

The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An insecure password reset mechanism in ARMember Premium, a WordPress membership plugin, allows unauthenticated attackers to take over any user account including administrators. The plugin stores a plaintext copy of the password reset key in the wp_usermeta database table, which can be extracted by chaining this flaw with related SQL injection vulnerabilities (CVE-2026-5073, CVE-2026-5074) and then used with the plugin's custom reset action to set an arbitrary new password. Successful exploitation gives the attacker full control over the targeted account, including read, write, and administrative access to the WordPress site. No fix has been published; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-5076 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Wordfence and NVD. This coverage extends to custom-built WordPress images that bundle the ARMember Premium plugin, not only images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting it against each environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within the customer organization based on configured ownership rules for affected image repositories.

Available

Patch

Because no fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. Customers with auto-remediation enabled will automatically receive a rebuild, regression-test run, and a PR opened against affected workloads once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress site over the network; the vulnerable reset endpoint is exposed via standard HTTP/HTTPS.
AuthenticationNot required
No account or credentials are needed; the full attack chain is executable by an anonymous network request.
Victim interactionNot required
No user action is required; the attacker only needs a password reset request to have been initiated for a target account, which can be triggered by the attacker themselves.
Attack complexityDetail
The exploit is reliable and condition-free once the plaintext reset key is extracted via a companion SQL injection vulnerability; no race conditions or special memory layout is required.

Blast Radius

Attacker sets a new password for any WordPress user account, including site administrators, and authenticates as that user.
Attacker reads all stored content, private member data, payment records, and session material accessible to the hijacked account.
Attacker modifies site configuration, installs or removes plugins, alters published content, and changes user roles or permissions.
Attacker can create persistent backdoor accounts or exfiltrate the entire WordPress database through the privileged session.

How HarborGuard Handles This

Available on HarborGuard: because no patched version of ARMember Premium has been published, HarborGuard monitors the Wordfence and NVD advisory feeds on every ingest cycle and will automatically flag any fix release. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads will be initiated the moment an upstream fix version is confirmed. In the interim, compensating controls available to customers include network-policy rules that restrict wp-admin and the custom armrp reset endpoint to known IP ranges, egress filtering to limit database exposure in the event the companion SQL injection flaws are also present, and feature-flag or WAF-rule gating to block requests targeting the armrp action parameter. Customers whose compliance policy surfaces Critical findings for immediate review will see this CVE routed to their security inbox with its full CVSS 9.8 score for prioritization.

See how HarborGuard automates this

Affected packages

armember / ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
≤ 7.3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified