Vulnerabilities ›

CVE-2026-5073

High

CWE-89 — Weakness Type

                    Published: Jun 2, 2026                      ·  Modified: Jun 9, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

🤖 AI Executive Summary

ARMember Premium WordPress plugin versions up to 7.3.1 contain SQL injection vulnerability in the 'order' parameter of AJAX actions, allowing unauthenticated attackers to extract sensitive database information. The vulnerability stems from insufficient escaping and lack of prepared statements in the arm_get_directory_members() function.

📄 Description (Arabic)

ثغرة SQL Injection في إضافة ARMember Premium للووردبريس تؤثر على جميع الإصدارات حتى 7.3.1. تسمح الثغرة للمهاجمين غير المصرحين بإدراج استعلامات SQL إضافية واستخراج معلومات حساسة من قاعدة البيانات. السبب الرئيسي هو عدم كفاية التحقق من صحة معاملات 'order' و 'orderby' وعدم استخدام الاستعلامات المحضرة.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 18:11

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking telecom government healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1110 T1040 T1557

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update ARMember Premium plugin to version 7.3.2 or later immediately. Implement Web Application Firewall (WAF) rules to filter malicious SQL patterns in AJAX requests. Use prepared statements and parameterized queries for all database operations. Apply principle of least privilege to database user accounts. Monitor AJAX requests for suspicious SQL syntax patterns.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة ARMember Premium إلى الإصدار 7.3.2 أو أحدث فوراً. طبق قواعد جدار حماية تطبيقات الويب لتصفية أنماط SQL الضارة في طلبات AJAX. استخدم الاستعلامات المحضرة والاستعلامات المعاملية لجميع عمليات قاعدة البيانات. طبق مبدأ أقل صلاحية لحسابات مستخدمي قاعدة البيانات. راقب طلبات AJAX للكشف عن أنماط SQL المريبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.7.1.1 A.7.1.2 A.12.2.1 A.12.6.1

🔵 SAMA CSF

ID.RA-2 PR.DS-2 PR.DS-6 DE.CM-1

🟡 ISO 27001:2022

A.12.2.1 A.13.1.1 A.14.2.1

🔗 References & Sources 2

🔗

https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/b5f6d2a2-ad3e-4afc-b6fd-74588...

security@wordfence.com

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-89

EPSS0.06%

Exploit No

Patch ✗ No

Published 2026-06-02

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-89

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-5073

Introduce Yourself

Sign In Required