CVE-2026-5076 · The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1.

01 · The Real Story

This is a house key left under the mat, but an attacker still needs a way to peek under the mat

In ARMember Premium for WordPress <= 7.3.1, the plugin stores a plaintext password reset key in the wp_usermeta table under arm_reset_password_key after a reset request, instead of relying only on WordPress core's hashed reset token. The plugin's custom armrp reset action can then accept that plaintext key to set a new password. Impact-wise, that is an account takeover primitive affecting any account whose reset token can be created and then read back, including administrators.

The vendor/CNA 9.8 CRITICAL score is too generous for this CVE *in isolation*. The decisive friction is that the bug is not self-sufficient: an attacker still needs a way to obtain the stored plaintext key, typically by chaining a read primitive like the same-version unauthenticated SQL injection in CVE-2026-5073. That said, because the sibling SQLi hits the same product, same affected range, same disclosure date, same patch, the chain is realistic enough that this stays HIGH, not MEDIUM.

"Dangerous when chained, but this is not a clean one-shot internet-to-admin bug by itself."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Fingerprint ARMember and locate the exposed flow

An attacker first confirms the target is running ARMember Premium and is likely on a vulnerable build. In practice this is done with normal web fingerprinting, theme/plugin artifact checks, and by locating front-end membership or password-reset pages that ARMember exposes.

Conditions required:

Internet reachability to the WordPress site
ARMember Premium installed and in active use
Enough fingerprinting clues to identify the plugin/version

Where this breaks in practice:

ARMember Premium is a niche premium plugin, not a ubiquitous internet appliance
Some sites suppress version leaks and minimize front-end plugin artifacts

Detection/coverage: ASM and WordPress fingerprinting scanners can usually identify the plugin family, but exact versioning is often weak unless files or changelog artifacts are exposed.

STEP 02

Create a fresh reset token for the target user

The attacker needs the plugin to generate a reset token for the account they want to hijack. That usually means submitting a password-reset request for a known username or email, causing ARMember to write a plaintext copy of the key into wp_usermeta.

Conditions required:

Knowledge of a valid target username or email
Password reset functionality exposed to the internet
The site accepts the reset request without strong anti-automation controls

Where this breaks in practice:

Admin usernames are not always enumerable
Rate limiting, CAPTCHA, or mail-flow protections can slow repeated attempts
If no reset is requested, there may be no fresh token to steal

Detection/coverage: Web logs can show bursts of forgot-password requests, but most vulnerability scanners will miss this logic issue unless they perform authenticated or workflow-aware testing.

STEP 03

Steal the plaintext token with a read primitive

This CVE becomes weaponizable when paired with a database read path. The cleanest published pairing is CVE-2026-5073, an unauthenticated SQL injection in the same plugin/version range that can expose database contents, including the arm_reset_password_key value.

Conditions required:

A data-exfiltration primitive exists against the same site
For the easiest chain, the site is also vulnerable to CVE-2026-5073
The attacker can reach the affected AJAX action

Where this breaks in practice:

Without SQLi or another read primitive, this CVE is mostly latent toxic state rather than immediate compromise
WAFs and managed WordPress protections may break noisy SQLi payloads
Some deployments may not expose the exact front-end functionality an exploit expects

Detection/coverage: DAST tools and WAF telemetry are more likely to catch the SQLi than the password-reset design flaw. Database reads from wp_usermeta are not meaningfully visible at the app layer.

STEP 04

Redeem the token via ARMember's reset action

Once the plaintext reset key is known, the attacker submits it to ARMember's custom armrp reset path and sets a new password for the target account. At that point the attacker has normal application-level control of the victim account, including full admin takeover if the target is an administrator.

Conditions required:

Valid plaintext reset key for the target user
Access to the ARMember reset endpoint
Token still valid at time of use

Where this breaks in practice:

Short token lifetime reduces the attacker window
Downstream controls like enforced MFA can still interrupt full takeover after password reset

Detection/coverage: Look for password changes following unusual reset requests, logins from new IPs, and account recovery events clustered around suspicious AJAX requests.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No KEV listing and I found no confirmed active exploitation reporting for this CVE as of the June 2, 2026 disclosure date.
Proof-of-concept availability	No standalone public PoC located in review-time search results. The practical exploit path is the chain with CVE-2026-5073, which is straightforward from the published description.
EPSS	Not publicly retrievable during this review; treat this as too fresh for EPSS-based prioritization. Do not wait for an EPSS score to make the call.
KEV status	Not in CISA KEV at review time.
CVSS vector readout	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` models this as a direct unauthenticated internet bug. That overstates reality because this specific CVE still needs a token-disclosure step.
Affected versions	All versions up to and including 7.3.1 of ARMember Premium.
Fixed version	7.3.2 per Wordfence and vendor changelog. The vendor changelog only says "minor bug fixes," so defenders should not expect an explicit security note.
Companion vulnerabilities	Same disclosure batch includes CVE-2026-5073 and CVE-2026-5074. 5073 is the meaningful amplifier because it is unauthenticated and can expose database contents.
Exposure population	WebTechSurvey reports roughly 1,298 live websites using ARMember Premium, with 430 in the US. That is small compared with mass-exploit WordPress plugin events, but still enough for opportunistic scanning.
Disclosure / researcher	Published 2026-06-02; credited researcher: h0xilo.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.7/10)

The single biggest reason this is not CRITICAL is that CVE-2026-5076 is not an exploit-complete bug on its own; the attacker still needs a way to read back the plaintext reset key after it is generated. It lands in HIGH because the same-version, same-day unauthenticated SQLi (CVE-2026-5073) provides a realistic pre-auth chain to administrator takeover on exposed ARMember sites.

HIGH Affected version range and fixed version

HIGH Chainability with sibling ARMember SQLi flaws

MEDIUM Real-world exploitability across the installed base

Why this verdict

Down from 9.8: not standalone — this CVE stores a dangerous secret in plaintext, but an attacker still needs a disclosure primitive to retrieve it.
Attacker position is still pre-auth remote if chained — the same affected versions also ship with unauthenticated SQLi (CVE-2026-5073), which compresses the exploit chain into one patch event.
Exposure population is narrower than the CVSS implies — ARMember Premium is a premium WordPress plugin with a much smaller internet footprint than mass-market plugins or edge appliances.
Impact is still full account takeover — once the token is recovered, the attacker can reset administrator credentials and operate as a legitimate app user.

Why not higher?

There is no KEV listing, no confirmed active exploitation, and no evidence that CVE-2026-5076 alone gives immediate unauthenticated admin takeover without an additional disclosure step. Real deployments also need the plugin installed, the reset flow reachable, and a target account enumerable enough to trigger a usable reset.

Why not lower?

The impact is not theoretical: plaintext reset tokens in wp_usermeta are a real takeover primitive. More importantly, the same version range has a published unauthenticated SQLi that can plausibly supply the missing read primitive, so this is too close to turnkey pre-auth admin compromise to dismiss as MEDIUM.

05 · Compensating Control

What to do — in priority order.

Block the vulnerable AJAX and reset paths — Deploy WAF or reverse-proxy rules that specifically constrain suspicious requests to ARMember AJAX handlers and the armrp reset flow. For a HIGH verdict, deploy this within 30 days, but if you see active probing in your telemetry, do it immediately.
Purge plaintext reset keys — Delete stale arm_reset_password_key entries from wp_usermeta and force fresh resets only after controls are in place. This removes the attacker prize already sitting in the database; apply within 30 days.
Throttle and gate password resets — Add CAPTCHA, rate limiting, and username-enumeration resistance to the reset flow so attackers cannot cheaply mint fresh tokens for chosen accounts. This is compensating friction, not a full fix; apply within 30 days.
Watch for chained exploitation indicators — Alert on unusual admin-ajax.php requests tied to ARMember actions, bursts of forgot-password submissions, and administrator password changes followed by new-source logins. Detection engineering should be in place within 30 days.

What doesn't work

Just blocking /wp-admin/ does not solve this; the important traffic is front-end password reset and AJAX endpoints.
Version-hiding or security-through-obscurity does not remove the bug; it only slows initial fingerprinting.
Relying on CVSS alone does not help prioritize this correctly; the real decision hinges on whether the site is also exposed to the sibling SQLi chain.

06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host as a user that can read the site directory and wp-config.php — typically the web server account or root. Invoke it like sudo bash ./check-armember-cve-2026-5076.sh /var/www/html; it needs local file read access and, if possible, PHP CLI to query the WordPress database using the site's own DB credentials.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-armember-cve-2026-5076.sh
# Detects whether a WordPress site is running vulnerable ARMember Premium (<= 7.3.1)
# and reports whether plaintext reset keys are present in wp_usermeta.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error

set -u

SITE_ROOT="${1:-}"
if [ -z "$SITE_ROOT" ]; then
  echo "UNKNOWN: usage: $0 /path/to/wordpress"
  exit 2
fi

if [ ! -d "$SITE_ROOT" ]; then
  echo "UNKNOWN: site root not found: $SITE_ROOT"
  exit 2
fi

PLUGIN_DIR="$SITE_ROOT/wp-content/plugins/armember"
CONFIG="$SITE_ROOT/wp-config.php"
MAIN_PHP="$PLUGIN_DIR/armember.php"
README="$PLUGIN_DIR/readme.txt"

if [ ! -d "$PLUGIN_DIR" ]; then
  echo "PATCHED: ARMember plugin directory not present at $PLUGIN_DIR"
  exit 0
fi

version=""

# Try plugin header first
if [ -f "$MAIN_PHP" ]; then
  version=$(grep -iE '^\s*Version:\s*' "$MAIN_PHP" 2>/dev/null | head -n1 | sed -E 's/^\s*Version:\s*//I' | tr -d '\r')
fi

# Fall back to readme stable tag
if [ -z "$version" ] && [ -f "$README" ]; then
  version=$(grep -iE '^\s*Stable tag:\s*' "$README" 2>/dev/null | head -n1 | sed -E 's/^\s*Stable tag:\s*//I' | tr -d '\r')
fi

if [ -z "$version" ]; then
  echo "UNKNOWN: could not determine ARMember version from $MAIN_PHP or $README"
  exit 2
fi

compare_versions() {
  # returns success if $1 <= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

reset_key_count="unknown"

if [ -f "$CONFIG" ] && command -v php >/dev/null 2>&1; then
  # Query wp_usermeta via PHP + wp-config constants, no mysql client required.
  php_output=$(php <<PHP 2>/dev/null
<?php
error_reporting(0);
if (!file_exists('$CONFIG')) { echo 'NO_CONFIG'; exit(0); }
require '$CONFIG';
if (!defined('DB_HOST') || !defined('DB_NAME') || !defined('DB_USER') || !defined('DB_PASSWORD')) {
    echo 'NO_DB_CONST';
    exit(0);
}
$table_prefix = isset($table_prefix) ? $table_prefix : 'wp_';
$mysqli = @new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if ($mysqli->connect_errno) { echo 'DB_CONNECT_FAIL'; exit(0); }
$table = $table_prefix . 'usermeta';
$sql = "SELECT COUNT(*) AS c FROM `" . $mysqli->real_escape_string($table) . "` WHERE meta_key='arm_reset_password_key' AND meta_value IS NOT NULL AND meta_value <> ''";
$res = @$mysqli->query($sql);
if (!$res) { echo 'QUERY_FAIL'; exit(0); }
$row = $res->fetch_assoc();
echo (string)$row['c'];
$mysqli->close();
?>
PHP
)

  case "$php_output" in
    NO_CONFIG|NO_DB_CONST|DB_CONNECT_FAIL|QUERY_FAIL|"") reset_key_count="unknown" ;;
    *) reset_key_count="$php_output" ;;
  esac
fi

if compare_versions "$version" "7.3.1"; then
  echo "VULNERABLE: ARMember version $version detected (<= 7.3.1). arm_reset_password_key rows: $reset_key_count"
  exit 1
else
  echo "PATCHED: ARMember version $version detected (> 7.3.1). arm_reset_password_key rows: $reset_key_count"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify every WordPress asset running ARMember Premium, and treat any host on <= 7.3.1 as a HIGH-priority web-app exposure. Per the noisgate mitigation SLA, deploy temporary protections within 30 days — block or tightly filter the relevant ARMember AJAX/reset paths, purge plaintext arm_reset_password_key values, and add reset throttling — then complete the actual upgrade to 7.3.2+ inside the noisgate remediation SLA of 180 days. If your logs show suspicious admin-ajax.php probing or abnormal reset activity, skip the waiting and patch/contain the affected sites immediately.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.