CVE-2026-5074 Overview
CVE-2026-5074 is a SQL Injection vulnerability [CWE-89] in the ARMember Premium plugin for WordPress. The flaw affects all versions up to and including 7.3.1. The sSortDir_0 parameter of the get_private_content_data AJAX action is concatenated directly into the ORDER BY clause of a SQL query without a whitelist check or sufficient sanitization. Authenticated attackers with Subscriber-level access or higher can append additional SQL queries to extract sensitive data from the database. Exploitation requires the optional "User Private Content" addon to be enabled, which is disabled by default.
Critical Impact
Authenticated attackers with low-privileged Subscriber accounts can extract sensitive database contents, including user credentials and private member data, when the "User Private Content" addon is active.
Affected Products
- ARMember Premium plugin for WordPress, all versions through 7.3.1
- WordPress sites with the "User Private Content" addon enabled
- WordPress installations allowing Subscriber-level account registration
Discovery Timeline
- 2026-06-02 - CVE-2026-5074 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-5074
Vulnerability Analysis
The vulnerability resides in the get_private_content_data AJAX action handler exposed by the ARMember Premium plugin. The handler reads the sSortDir_0 request parameter, which controls the sort direction for a DataTables-style query, and concatenates it directly into the ORDER BY clause of a SQL statement. Because the plugin neither sanitizes the value nor validates it against an allowlist of expected values (ASC or DESC), an authenticated user can inject arbitrary SQL fragments. The flaw is a classic second-order injection point: input controls a clause where parameter binding does not apply, and developers commonly forget to enforce strict allowlists.
Root Cause
The root cause is insufficient input validation on a user-supplied parameter that flows into a SQL identifier position. ORDER BY clauses cannot be parameterized through prepared statements, so the plugin must enforce an explicit allowlist. Instead, the value of sSortDir_0 is interpolated into the query string unchanged, allowing attackers to break out of the clause and append UNION SELECT or stacked subqueries.
Attack Vector
An attacker first registers or authenticates as a low-privileged Subscriber on the target WordPress site. The attacker then issues a crafted POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) invoking the get_private_content_data action with a malicious sSortDir_0 payload. The injected SQL executes in the context of the WordPress database user, enabling extraction of records from the wp_users, wp_usermeta, and plugin-specific tables. Exploitation is only possible when the "User Private Content" addon is enabled, which is not the default configuration.
No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Analysis for additional technical details.
Detection Methods for CVE-2026-5074
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=get_private_content_data paired with non-standard sSortDir_0 values such as SQL keywords (UNION, SELECT, SLEEP, BENCHMARK).
- Unexpected SQL errors logged by the WordPress database layer referencing the ORDER BY clause.
- Newly created Subscriber accounts followed shortly by repeated AJAX requests to the ARMember endpoint.
Detection Strategies
- Inspect web server access logs for admin-ajax.php requests where the sSortDir_0 parameter contains characters outside [A-Za-z] or values other than ASC and DESC.
- Deploy a Web Application Firewall (WAF) ruleset that flags SQL metacharacters in WordPress AJAX parameters.
- Correlate authentication events for low-privileged accounts with bursts of AJAX traffic to ARMember endpoints.
Monitoring Recommendations
- Enable WordPress query logging or use database audit features to record queries containing concatenated ORDER BY values.
- Monitor for anomalous read volumes from the WordPress database user, particularly against wp_users and wp_usermeta.
- Alert on registration spikes followed by immediate AJAX activity, indicating automated exploitation attempts.
How to Mitigate CVE-2026-5074
Immediate Actions Required
- Update the ARMember Premium plugin to a version newer than 7.3.1 as soon as the vendor publishes a patched release.
- Disable the "User Private Content" addon if it is not required for site functionality, which removes the vulnerable code path entirely.
- Audit existing Subscriber accounts and remove unused or suspicious registrations.
- Restrict open user registration where business requirements allow.
Patch Information
At the time of publication, refer to the vendor listing on CodeCanyon Membership System for the latest plugin release. Review the Wordfence Vulnerability Analysis to confirm the fixed version before deploying.
Workarounds
- Disable the "User Private Content" addon within the ARMember Premium settings until a patched release is installed.
- Deploy a virtual patch through a WAF that rejects requests to admin-ajax.php with action=get_private_content_data when sSortDir_0 is not strictly ASC or DESC.
- Temporarily disable new user registration or require manual approval to limit the pool of authenticated attackers.
# Example WAF rule (ModSecurity) to block injection attempts against the vulnerable parameter
SecRule ARGS:action "@streq get_private_content_data" \
"chain,phase:2,deny,status:403,id:1026507401,msg:'CVE-2026-5074 ARMember SQLi attempt'"
SecRule ARGS:sSortDir_0 "!@rx ^(ASC|DESC)$" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
