CVE-2026-5076 Overview
CVE-2026-5076 is an authentication weakness in the ARMember Premium plugin for WordPress affecting all versions up to and including 7.3.1. The plugin stores a plaintext copy of the password reset key in the arm_reset_password_key user meta field whenever a user requests a password reset. WordPress core only stores a hashed reset key in wp_users.user_activation_key, but the plugin duplicates the unhashed value in wp_usermeta. An attacker who can read this meta value can call the plugin's custom armrp reset action and set a new password for any account, including administrators.
Critical Impact
Chained with an SQL injection such as CVE-2026-5073 or CVE-2026-5074, unauthenticated attackers can extract plaintext reset keys and take over administrator accounts.
Affected Products
- ARMember Premium plugin for WordPress, all versions through 7.3.1
- WordPress sites using the plugin's armrp custom password reset action
- Membership sites distributed via CodeCanyon as ARMember Complete WordPress Membership System
Discovery Timeline
- 2026-06-02 - CVE-2026-5076 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-5076
Vulnerability Analysis
The weakness is classified as Broken Authentication under [CWE-287]. WordPress core handles password resets by storing only a hashed user_activation_key value, which prevents direct reuse if the database is exposed. The ARMember Premium plugin breaks this guarantee by writing the plaintext reset key to the arm_reset_password_key field in wp_usermeta at the moment a reset is requested. The plugin's custom armrp action then accepts that plaintext value as proof of identity and allows the caller to set a new password.
Because the secret is duplicated outside of WordPress core's protected storage, any read primitive against wp_usermeta exposes a working credential. The advisory explicitly references SQL injection issues CVE-2026-5073 and CVE-2026-5074 in the same plugin as practical extraction paths. An attacker does not need authentication, user interaction, or local access to complete the takeover.
Root Cause
The root cause is insecure secret storage paired with a custom reset workflow that trusts a non-hashed token. Storing a plaintext equivalent of a hashed secret defeats the protection that WordPress core provides and creates a permanent credential-equivalent value in the database for every account that has ever requested a reset.
Attack Vector
The attack is network-based and requires no privileges. An attacker triggers or waits for a password reset request against a target account, then reads arm_reset_password_key from wp_usermeta through any disclosure primitive, including the chained SQL injection flaws referenced in the advisory. The attacker submits the plaintext key to the plugin's armrp reset action and supplies a new password, gaining full control of the targeted user, including administrators.
No public exploit code is referenced in the advisory. See the Wordfence Vulnerability Report for additional technical detail.
Detection Methods for CVE-2026-5076
Indicators of Compromise
- Presence of the arm_reset_password_key key in wp_usermeta for accounts that did not legitimately request a reset.
- Unexpected password changes for administrator accounts followed by logins from unfamiliar IP addresses or user agents.
- Requests to the plugin's armrp reset endpoint that succeed without a preceding email-link click from the legitimate user.
Detection Strategies
- Audit the wp_usermeta table for arm_reset_password_key entries and correlate them with WordPress reset request logs.
- Inspect web server logs for POST requests to URLs containing the armrp action parameter, especially from unauthenticated sessions.
- Alert on administrator role assignments or password changes occurring within minutes of armrp requests.
Monitoring Recommendations
- Forward WordPress access logs and database audit events to a centralized analytics platform for cross-correlation.
- Monitor for SQL injection signatures targeting the ARMember plugin endpoints associated with CVE-2026-5073 and CVE-2026-5074.
- Track new administrator accounts, role elevations, and email address changes on WordPress sites running ARMember Premium.
How to Mitigate CVE-2026-5076
Immediate Actions Required
- Update ARMember Premium to a version later than 7.3.1 as soon as the vendor releases a fixed build via CodeCanyon.
- Force a password reset for all administrators and privileged users on affected sites.
- Delete all existing arm_reset_password_key rows from wp_usermeta to invalidate any leaked plaintext keys.
Patch Information
No fixed version is published in the NVD record at the time of disclosure. Refer to the Wordfence Vulnerability Report and the vendor's CodeCanyon listing for patch availability. Apply the vendor update for the related SQL injection issues CVE-2026-5073 and CVE-2026-5074 in the same release cycle.
Workarounds
- Deactivate the ARMember Premium plugin until a patched release is installed if password reset functionality is not business-critical.
- Restrict access to the plugin's armrp reset endpoint at the web application firewall layer for unauthenticated callers.
- Enable multi-factor authentication for all administrator accounts to limit the impact of a successful password reset takeover.
# Remove plaintext reset keys left in wp_usermeta
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'arm_reset_password_key';"
# Force a password reset for all administrators
wp user list --role=administrator --field=ID | xargs -I {} wp user reset-password {}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
