CVE-2026-5073 Overview
CVE-2026-5073 is a SQL Injection vulnerability [CWE-89] affecting the ARMember Premium plugin for WordPress in all versions up to and including 7.3.1. The flaw resides in the arm_get_directory_members() function, which processes the order and orderby parameters of the arm_directory_paging_action AJAX action without sufficient escaping or query preparation. Unauthenticated attackers can append additional SQL queries to existing database operations. Successful exploitation enables extraction of sensitive information from the WordPress database, including user credentials and session data.
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents from any WordPress site running ARMember Premium 7.3.1 or earlier through an exposed AJAX endpoint.
Affected Products
- ARMember Premium plugin for WordPress
- All versions up to and including 7.3.1
- WordPress sites exposing the arm_directory_paging_action AJAX endpoint
Discovery Timeline
- 2026-06-02 - CVE-2026-5073 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-5073
Vulnerability Analysis
The vulnerability exists in the arm_get_directory_members() function of the ARMember Premium plugin. The function constructs a SQL query using the order and orderby parameters supplied through the arm_directory_paging_action AJAX action. The plugin fails to escape these inputs and does not use prepared statements with parameter binding. Attackers can inject arbitrary SQL fragments that the database executes alongside the legitimate query.
The attack vector is network-accessible and requires no authentication or user interaction. The AJAX action is registered for unauthenticated users through WordPress's wp_ajax_nopriv_ hook, exposing the vulnerable code path to any anonymous visitor.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The order and orderby parameters are concatenated into the ORDER BY clause of a database query without sanitization. WordPress's $wpdb->prepare() does not natively handle column names or sort directions, so developers must use esc_sql() or an allow-list. Neither control was applied here.
Attack Vector
An unauthenticated attacker sends a crafted HTTP POST request to /wp-admin/admin-ajax.php specifying action=arm_directory_paging_action with malicious payloads in the order or orderby parameters. The injected SQL executes within the context of the WordPress database user. Common exploitation techniques include UNION-based extraction and time-based blind injection to enumerate the wp_users table and retrieve password hashes and session tokens.
No verified public exploit code is available at this time. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-5073
Indicators of Compromise
- HTTP POST requests to /wp-admin/admin-ajax.php containing action=arm_directory_paging_action with SQL keywords such as UNION, SELECT, SLEEP, or BENCHMARK in the order or orderby parameters
- Unexpected database errors logged by MySQL referencing arm_get_directory_members or malformed ORDER BY clauses
- Anomalous outbound DNS queries from the web server consistent with out-of-band SQL injection exfiltration
- Sudden spikes in admin-ajax.php response times indicating time-based blind injection probing
Detection Strategies
- Inspect web server access logs for repeated requests to admin-ajax.php with the arm_directory_paging_action parameter from a single source IP
- Deploy web application firewall rules that flag SQL metacharacters in the order and orderby parameters of WordPress AJAX requests
- Correlate database query logs with HTTP requests to identify malformed ORDER BY statements originating from the plugin
Monitoring Recommendations
- Enable MySQL general query logging on WordPress database servers and alert on queries containing nested SELECT statements within ORDER BY clauses
- Monitor authentication events for credential reuse following any suspected database compromise
- Track ARMember plugin version inventory across all managed WordPress installations
How to Mitigate CVE-2026-5073
Immediate Actions Required
- Update the ARMember Premium plugin to a version newer than 7.3.1 as soon as the vendor releases a patched build
- Audit WordPress user accounts for unauthorized administrative privileges or recently created accounts
- Rotate all WordPress administrator passwords and invalidate active sessions if exploitation is suspected
- Review database logs for the period since plugin installation to identify potential data exfiltration
Patch Information
At the time of publication, refer to the vendor advisory and the Wordfence Vulnerability Report for the fixed version. Verify the patched release addresses both the order and orderby parameters in arm_get_directory_members(). Product information is available on the Codecanyon Membership System Overview page.
Workarounds
- Deactivate the ARMember Premium plugin until a patched version is installed
- Configure a web application firewall to block requests where action=arm_directory_paging_action contains SQL metacharacters in order or orderby parameters
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks where the directory feature is not required for public users
- Apply database-level least privilege so the WordPress database user cannot read sensitive tables outside the WordPress schema
# Example ModSecurity rule blocking SQL keywords in the vulnerable parameters
SecRule ARGS:action "@streq arm_directory_paging_action" \
"id:1026507301,phase:2,chain,deny,status:403,log,\
msg:'CVE-2026-5073 ARMember SQLi attempt'"
SecRule ARGS:order|ARGS:orderby \
"@rx (?i)(union|select|sleep|benchmark|--|/\*)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
