Introduction
A plaintext password reset key stored alongside WordPress core's properly hashed version has turned the ARMember Premium membership plugin into a full admin takeover vector for any WordPress site running version 7.3.1 or earlier. When chained with two SQL injection flaws in the same plugin, an unauthenticated attacker can extract the key from the database and reset any user's password without ever logging in.
ARMember Premium, developed by Repute Infosystems and sold through Envato's CodeCanyon marketplace, is an all in one WordPress membership plugin used to manage memberships, gated content, and community features with WooCommerce integration. It competes with established solutions like MemberPress and Paid Memberships Pro. Its presence on both CodeCanyon (premium) and the WordPress.org plugin repository (free variant) gives it reach across a broad segment of WordPress sites handling user accounts and payment data.
Technical Information
Root Cause: Plaintext Reset Key in User Meta
The vulnerability at the heart of CVE-2026-5076 is a cryptographic design error in how ARMember Premium handles password reset tokens. WordPress core follows established practice: when a user requests a password reset, the core generates a reset key, hashes it, and stores the hash in the user_activation_key column of the wp_users table. Even with full database access, an attacker cannot recover the original key from this hash.
ARMember Premium breaks this security model by introducing a parallel storage path. The plugin stores an additional plaintext copy of the same password reset key in a custom user meta field called arm_reset_password_key within the wp_usermeta table. This plaintext key is directly usable: the plugin's custom armrp reset action accepts it as a valid authentication token to authorize setting a new password for any user account, including administrators.
The vulnerability is classified under CWE-287 (Improper Authentication). The plugin's custom reset mechanism accepts the plaintext key without requiring the cryptographic verification that WordPress core enforces, effectively creating a side channel that bypasses the platform's built in protections.
CVSS Breakdown
The full CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, scoring 9.8 Critical:
| CVSS Component | Value | Significance |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely over the internet |
| Attack Complexity | Low (AC:L) | No specialized conditions required |
| Privileges Required | None (PR:N) | No authentication needed to initiate the chain |
| User Interaction | None (UI:N) | No victim action required |
| Scope | Unchanged (S:U) | Impact confined to the vulnerable component |
| Confidentiality | High (C:H) | Full database read access via SQLi |
| Integrity | High (I:H) | Password reset enables account modification |
| Availability | High (A:H) | Admin takeover enables site defacement or shutdown |
The Exploitation Chain
The standalone exploitation of CVE-2026-5076 requires database read access. Two companion SQL injection vulnerabilities in the same plugin version provide exactly that:
CVE-2026-5073 (Unauthenticated SQLi, CVSS 7.5): An unauthenticated SQL injection via the order parameter of the arm_directory_paging_action AJAX action. The flaw stems from insufficient escaping on user supplied order and orderby parameters and a lack of proper query preparation in the arm_get_directory_members() function. An unauthenticated attacker can append additional SQL queries to extract arbitrary data from the database.
CVE-2026-5074 (Authenticated SQLi, Subscriber+): An authenticated SQL injection via the sSortDir_0 parameter of the get_private_content_data AJAX action. This requires at least Subscriber level access but still provides a database extraction pathway for low privileged users.
The chained attack proceeds in three discrete steps:
-
Trigger the reset key creation. The attacker initiates a password reset for a target administrator account. This causes ARMember Premium to store the plaintext reset key in the
arm_reset_password_keymeta field inwp_usermeta. -
Extract the plaintext key via SQL injection. The attacker exploits CVE-2026-5073 (no authentication required) to perform SQL injection against the
wp_usermetatable, reading the plaintextarm_reset_password_keyvalue for the target administrator. -
Reset the administrator password. The attacker submits the extracted plaintext key to the plugin's custom
armrpreset action, setting an arbitrary new password for the administrator account.
The result is complete, unauthenticated administrator account takeover with no user interaction required at any stage.
Why This Design Is Fundamentally Broken
This vulnerability illustrates a broader anti-pattern: a plugin undermining the security architecture of its host platform. WordPress core correctly hashes password reset keys precisely to prevent the scenario that CVE-2026-5076 enables. By storing a plaintext copy in a different table, ARMember Premium created a parallel authentication path that is weaker than the one it was meant to supplement. The plaintext key in wp_usermeta is reachable through any database read vulnerability, not just the specific SQL injection flaws documented here, making this a persistent architectural weakness rather than a simple implementation bug.
Patch Information
ARMember Premium version 7.3.2, released on April 18, 2026, addresses CVE-2026-5076. The Wordfence advisory explicitly confirms the remediation: "Update to version 7.3.2, or a newer patched version."
The fix eliminates the insecure pattern at the core of the vulnerability. Based on the vulnerability description and the CWE-287 classification, the patch removes or secures the plaintext storage of the reset key in the arm_reset_password_key meta field, ensuring the custom password reset flow no longer exposes a usable plaintext token in the database. Because ARMember Premium is a commercial plugin distributed through CodeCanyon, the source code changes are not publicly available in a diff format. However, Wordfence has verified the patch and confirmed the issue is resolved in 7.3.2.
The same version also addresses the companion SQL injection vulnerabilities:
| CVE | Type | Authentication Required | Patch Version |
|---|---|---|---|
| CVE-2026-5076 | Insecure Password Reset / Improper Authentication (CVSS 9.8) | None (when chained) | 7.3.2 |
| CVE-2026-5073 | Unauthenticated SQL Injection via order parameter (CVSS 7.5) | None | 7.3.2 |
| CVE-2026-5074 | Authenticated SQL Injection via sSortDir_0 parameter | Subscriber+ | 7.3.2 |
Notably, the vendor's own changelog for version 7.3.2 lists only "Minor bug fixes," a common but concerning practice among WordPress plugin developers where critical security patches are silently shipped without explicit disclosure. This underscores why cross referencing authoritative sources like Wordfence Intelligence is essential for accurately assessing risk windows.
Post patch cleanup: Even after updating, administrators should review the wp_usermeta table for any lingering arm_reset_password_key entries. Any plaintext reset keys stored prior to the update should be considered potentially compromised and cleared. Newer releases (7.3, 7.4, and 7.5 series) are already available as of June 2026.
Affected Systems and Versions
Affected Product: ARMember Premium (WordPress plugin)
Affected Versions: All versions up to and including 7.3.1
Fixed Version: 7.3.2 (released April 18, 2026)
Companion Vulnerabilities (same affected version range):
- CVE-2026-5073: ARMember Premium <= 7.3.1 (Unauthenticated SQL Injection)
- CVE-2026-5074: ARMember Premium <= 7.3.1 (Authenticated SQL Injection)
Related (free variant):
- CVE-2026-7649: ARMember (free) <= 4.0.60 (Time based Blind SQL Injection)
Any WordPress site running ARMember Premium version 7.3.1 or earlier is vulnerable. The chained exploitation scenario requires no authentication, no user interaction, and no special configuration beyond having the plugin installed and active.
Vendor Security History
ARMember has a documented pattern of recurring security vulnerabilities across both its free and premium variants, cataloged in the Wordfence Intelligence Vulnerability Database:
| Vulnerability | Plugin Variant / Version | Type |
|---|---|---|
| ARMember <= 3.4.11 Unauthenticated SQL Injection | Free, <= 3.4.11 | SQL Injection |
| ARMember <= 4.0.10 Authenticated (Subscriber+) SQL Injection | Free, <= 4.0.10 | SQL Injection |
| CVE-2026-7649 Time based Blind SQL Injection | Free, <= 4.0.60 | SQL Injection |
| CVE-2026-5073 Unauthenticated SQL Injection (order param) | Premium, <= 7.3.1 | SQL Injection |
| CVE-2026-5074 Authenticated SQL Injection (sSortDir_0) | Premium, <= 7.3.1 | SQL Injection |
| CVE-2026-5076 Insecure Password Reset | Premium, <= 7.3.1 | Improper Authentication |
The recurrence of SQL injection vulnerabilities across multiple versions and both plugin variants points to systemic deficiencies in input sanitization and query preparation practices within the codebase. The insecure password reset mechanism in CVE-2026-5076 further indicates gaps in secure cryptographic design review. Organizations relying on ARMember should consider this track record when evaluating long term plugin dependency and implement layered defenses including WAF rules, database monitoring for anomalous queries against wp_usermeta, and principle of least privilege configurations.
Security researcher h0xilo discovered and reported CVE-2026-5076 along with CVE-2026-5073, with coordinated disclosure through Wordfence enabling vendor patching before public disclosure on June 2, 2026.
References
- NVD: CVE-2026-5076 Detail
- Wordfence Advisory: ARMember Premium <= 7.3.1 Insecure Password Reset Mechanism
- Wordfence: ARMember Premium <= 7.3.1 Insecure Password Reset (Plugin Page)
- Wordfence: ARMember Premium <= 7.3.1 Unauthenticated SQL Injection via order Parameter
- Wordfence: ARMember Premium <= 7.3.1 Authenticated SQL Injection via sSortDir_0
- Wordfence: ARMember Premium Vulnerability History
- ARMember Changelog
- ARMember on CodeCanyon
- SentinelOne: CVE-2026-7649 ARMember WordPress Plugin SQLi
- AppSecure: CVE-2026-7649 High Vulnerability in ARMember
- CISA Known Exploited Vulnerabilities Catalog



