← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-5073 · CWE-89 · Disclosed 2026-06-02

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the…

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a burglar trying the side gate, not kicking in the front door

CVE-2026-5073 is an unauthenticated SQL injection in the premium ARMember WordPress plugin, triggered through the order parameter of the arm_directory_paging_action AJAX flow. Based on the disclosure details you provided and the surrounding June 2, 2026 ARMember advisories, the affected range is ARMember Premium <= 7.3.1, with 7.3.2 appearing to be the first fixed release. The bug sits in member-directory functionality, which matters because it is not the same as a generic flaw reachable on every WordPress page.

paragraphs

"Real bug, real data exposure, but narrower than the CVSS suggests because the vulnerable path depends on ARMember directory exposure."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Fingerprint a WordPress site using ARMember Premium

The attacker first identifies a WordPress target running ARMember Premium, usually by plugin asset paths, page markup, or exposed member-directory pages. This is straightforward commodity recon, but the premium edition has a much smaller population than mass-market plugins.
Conditions required:
  • Target is internet-accessible
  • ARMember Premium is installed
  • Plugin artifacts or pages are externally fingerprintable
Where this breaks in practice:
  • ARMember Premium is a niche premium plugin rather than a 100k+ free-plugin staple
  • Some sites hide plugin paths behind caching/CDN rewrites
  • Technology fingerprinting is noisy and imperfect
Detection/coverage: External attack-surface tools and WordPress-focused scanners can often fingerprint the plugin, but premium-plugin coverage is less reliable than for repository plugins.
STEP 02

Reach the vulnerable directory AJAX action

The attacker has to hit the admin-ajax.php path and invoke the ARMember directory paging action that consumes the order parameter. In practice this usually implies the member-directory feature is enabled and reachable, because this action is tied to directory paging rather than a core login or registration path.
Conditions required:
  • /wp-admin/admin-ajax.php is reachable
  • ARMember member-directory functionality is enabled
  • The vulnerable AJAX action is exposed to unauthenticated callers
Where this breaks in practice:
  • Not every ARMember deployment exposes a public directory
  • Some deployments restrict directory visibility to logged-in users
  • WAFs commonly scrutinize admin-ajax.php because it is a high-abuse WordPress endpoint
Detection/coverage: Look for POST or GET requests to wp-admin/admin-ajax.php containing action=arm_directory_paging_action and suspicious order= payloads.
STEP 03

Inject SQL through the order parameter

If the parameter is concatenated into an ORDER BY or related SQL fragment without proper allow-listing, the attacker can alter query behavior and turn the request into a data-extraction primitive. Depending on the exact query shape, exploitation is often blind or semi-blind rather than clean row-returning SQLi, which slows mass exploitation.
Conditions required:
  • Input reaches the SQL layer unsafely
  • Backend database behavior permits exploitable syntax in the order field
Where this breaks in practice:
  • Blind SQLi is slower and noisier than direct union-based dumping
  • Character filtering, database error suppression, and caching can break automation
  • Managed WAF rules often catch obvious SQL metacharacters and timing payloads
Detection/coverage: WAF/NGFW telemetry and web logs can flag quote characters, comments, sleep, or order-clause anomalies against the directory action.
STEP 04

Read sensitive WordPress data

Successful exploitation can expose data from wp_users, wp_usermeta, and plugin-specific tables, which is meaningful even if the CVSS only models confidentiality loss. On its own that is a serious breach; paired with the separately disclosed ARMember password-reset weakness from June 2, 2026, database read access can become account takeover.
Conditions required:
  • SQLi works reliably enough to enumerate or extract data
  • Interesting records exist in the database
Where this breaks in practice:
  • Standalone CVE-2026-5073 is still primarily a data-theft issue, not direct RCE
  • Large exfiltration through blind queries is slow and operationally noisy
Detection/coverage: Database and app logs may show repeated AJAX hits with abnormal response timing or cardinality; DAST tools may miss this if the directory page is not exposed during crawling.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public exploitation evidence surfaced in the checked sources as of 2026-06-03.
KEV statusNot listed in CISA KEV as of 2026-06-03; generic catalog reference checked at CISA KEV.
Public PoC availabilityNo public GitHub PoC for CVE-2026-5073 surfaced in quick-source checks. That lowers mass-exploitation velocity, not underlying impact.
EPSSNo FIRST EPSS result was retrievable in the checked public sources as of 2026-06-03; treat EPSS as unknown, not low.
CVSS vector reality checkAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N is directionally right for the *technical* flaw, but it overstates reachable population because the bug appears tied to member-directory AJAX rather than a universally hit path.
Affected versionsARMember Premium <= 7.3.1 per the disclosure details provided and corroborating ARMember June 2026 fix cadence.
Fixed version7.3.2 or later appears to be the first patched build, based on ARMember's changelog and the related June 2, 2026 ARMember security advisories.
Exposure populationWebTechSurvey reports roughly 1,298 live websites using ARMember Premium, with 430 in the United States. That is real internet exposure, but far from the scale of mainstream WordPress plugins.
Feature-level exposure frictionDirectory-specific support threads and demo material indicate ARMember member directories are configurable and can be private to registered users, which narrows the exploitable subset in real deployments.
Disclosure contextDisclosed 2026-06-02. A same-day related advisory, CVE-2026-5076, explicitly says SQLi issues such as CVE-2026-5073 can be chained into full account takeover.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to HIGH (7.1/10)

The deciding factor is that this is still unauthenticated remote SQLi on an internet-facing WordPress endpoint, which keeps it out of MEDIUM even with deployment friction. What prevents a higher score is that the reachable population is materially narrower than the vendor CVSS implies because the vulnerable code path appears tied to member-directory exposure, not a universally exercised core workflow.

HIGH Standalone severity remains at least HIGH because unauthenticated remote SQLi can expose credential and user data
MEDIUM Exposure fraction is narrowed by feature-level dependency on ARMember directory functionality
MEDIUM Patched version inference at 7.3.2 based on adjacent June 2026 vendor and ecosystem data

Why this verdict

  • Baseline stays high: unauthenticated remote SQLi against WordPress admin-ajax.php is never backlog-grade.
  • Downward adjustment for attacker reach: the prerequisite is not just 'site runs plugin' but 'site exposes the vulnerable member-directory workflow,' which trims real-world exposure.
  • Downward adjustment for population: ARMember Premium has a much smaller installed base than mass-exploited free plugins, so internet-scale spray-and-pray value is lower.
  • Downward adjustment for exploit ergonomics: directory-oriented SQLi is often blind or semi-blind, making exfil slower and noisier than cleaner SQLi cases.
  • Upward adjustment for chain potential: database read access can become materially worse when combined with the same-day ARMember password-reset flaw, even though that chain is a separate CVE.

Why not higher?

This is not scored CRITICAL because the standalone bug is a confidentiality issue, not immediate code execution or direct auth bypass. More importantly, the attack path appears to depend on a specific directory feature being reachable, which means the vendor's broad AV:N/PR:N view is technically true but operationally over-generous.

Why not lower?

It is still unauthenticated remote SQL injection on a common web stack component, which can expose user records, hashes, emails, and plugin metadata without prior compromise. Once an attacker lands this on a public site, the defender is dealing with a real breach path, not a theoretical misconfiguration.

05 · Compensating Control

What to do — in priority order.

  1. Block the vulnerable AJAX action at the edge — Create a WAF or reverse-proxy rule that denies requests to wp-admin/admin-ajax.php containing action=arm_directory_paging_action from unauthenticated users, or strips/allow-lists the order parameter. For a HIGH verdict, deploy this within 30 days unless business owners confirm the directory feature can be disabled sooner.
  2. Disable public member directories — If the business can tolerate it, turn off ARMember's public directory pages or make them authenticated-only. This directly removes the most likely exposed path and should be done within 30 days for internet-facing sites running affected versions.
  3. Tighten SQLi signatures on WordPress AJAX — Push tuned WAF signatures for quotes, comments, sleep, and order-clause tampering against admin-ajax.php, especially for ARMember paths. This is not a substitute for patching, but it buys coverage while you work through the 30-day mitigation window.
  4. Hunt for suspicious directory-action requests — Query web logs for arm_directory_paging_action, unusual order= values, repeated timing-style probes, and bursts from single IPs. Complete the first retrospective hunt within 30 days so you can separate routine patching from likely compromise response.
What doesn't work
  • Generic WordPress hardening alone does not fix SQLi in plugin code; hiding /wp-admin/ or changing login URLs does nothing for admin-ajax.php.
  • MFA does not stop the standalone data-exposure bug because the attacker does not need to log in to reach the vulnerable path.
  • CDN caching is not a reliable defense; dynamic AJAX requests often bypass cache and still hit origin PHP.
06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host or inside the container/VM that holds the plugin files. Invoke it as bash verify-armember-cve-2026-5073.sh /var/www/html and give it read access to the WordPress plugin directory; root is not required unless permissions are locked down.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify-armember-cve-2026-5073.sh
# Checks local ARMember Premium version against CVE-2026-5073 affected range.
# Usage: bash verify-armember-cve-2026-5073.sh /path/to/wordpress
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

WP_ROOT="${1:-}"
if [[ -z "$WP_ROOT" ]]; then
  echo "UNKNOWN - missing WordPress root path argument"
  exit 2
fi

PLUGIN_MAIN="$WP_ROOT/wp-content/plugins/armember/armember.php"
PLUGIN_ALT="$WP_ROOT/wp-content/plugins/armember-premium/armember.php"
TARGET_FILE=""

if [[ -f "$PLUGIN_MAIN" ]]; then
  TARGET_FILE="$PLUGIN_MAIN"
elif [[ -f "$PLUGIN_ALT" ]]; then
  TARGET_FILE="$PLUGIN_ALT"
else
  echo "UNKNOWN - ARMember plugin file not found under expected paths"
  exit 2
fi

VERSION=$(grep -Eim1 '^\s*Version:\s*' "$TARGET_FILE" | sed -E 's/^\s*Version:\s*//I' | tr -d '\r' | xargs)

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN - could not extract plugin version from $TARGET_FILE"
  exit 2
fi

verlte() {
  [[ "$1" == "$2" ]] && return 0
  local first
  first=$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)
  [[ "$first" == "$1" ]]
}

# Affected range based on current disclosure: ARMember Premium <= 7.3.1
if verlte "$VERSION" "7.3.1"; then
  echo "VULNERABLE - ARMember version $VERSION detected at $TARGET_FILE"
  exit 1
fi

if verlte "7.3.2" "$VERSION"; then
  echo "PATCHED - ARMember version $VERSION detected at $TARGET_FILE"
  exit 0
fi

echo "UNKNOWN - parsed version '$VERSION' could not be classified"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a public web-app data exposure bug with feature-level friction: inventory every WordPress host running ARMember Premium, identify which ones expose member-directory functionality, and put an edge block or feature disablement in place for those sites within the noisgate mitigation SLA of 30 days. Then move every affected install to 7.3.2+ within the noisgate remediation SLA of 180 days; if any site also carries the June 2, 2026 password-reset issue path that can chain with this SQLi, push that subset to the front of the queue immediately even though CVE-2026-5073 alone is not a CRITICAL by itself.

Sources

  1. ARMember changelog
  2. ARMember member directory demo
  3. WordPress.org ARMember support forum
  4. WebTechSurvey ARMember Premium usage data
  5. WordPress Vulnerability Database entry index
  6. CVEFeed details for related ARMember chain issue CVE-2026-5076
  7. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.