ZeroPath at Black Hat USA 2026

ARMember Premium CVE-2026-5076: Brief Summary of a Critical Plaintext Password Reset Key Flaw Enabling WordPress Admin Takeover

A short review of CVE-2026-5076, a CVSS 9.8 insecure password reset mechanism in ARMember Premium for WordPress that stores plaintext reset keys in user meta, enabling full admin account takeover when chained with companion SQL injection flaws. Patch information and affected versions are included.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-02

ARMember Premium CVE-2026-5076: Brief Summary of a Critical Plaintext Password Reset Key Flaw Enabling WordPress Admin Takeover
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A plaintext password reset key stored alongside WordPress core's properly hashed version has turned the ARMember Premium membership plugin into a full admin takeover vector for any WordPress site running version 7.3.1 or earlier. When chained with two SQL injection flaws in the same plugin, an unauthenticated attacker can extract the key from the database and reset any user's password without ever logging in.

ARMember Premium, developed by Repute Infosystems and sold through Envato's CodeCanyon marketplace, is an all in one WordPress membership plugin used to manage memberships, gated content, and community features with WooCommerce integration. It competes with established solutions like MemberPress and Paid Memberships Pro. Its presence on both CodeCanyon (premium) and the WordPress.org plugin repository (free variant) gives it reach across a broad segment of WordPress sites handling user accounts and payment data.

Technical Information

Root Cause: Plaintext Reset Key in User Meta

The vulnerability at the heart of CVE-2026-5076 is a cryptographic design error in how ARMember Premium handles password reset tokens. WordPress core follows established practice: when a user requests a password reset, the core generates a reset key, hashes it, and stores the hash in the user_activation_key column of the wp_users table. Even with full database access, an attacker cannot recover the original key from this hash.

ARMember Premium breaks this security model by introducing a parallel storage path. The plugin stores an additional plaintext copy of the same password reset key in a custom user meta field called arm_reset_password_key within the wp_usermeta table. This plaintext key is directly usable: the plugin's custom armrp reset action accepts it as a valid authentication token to authorize setting a new password for any user account, including administrators.

The vulnerability is classified under CWE-287 (Improper Authentication). The plugin's custom reset mechanism accepts the plaintext key without requiring the cryptographic verification that WordPress core enforces, effectively creating a side channel that bypasses the platform's built in protections.

CVSS Breakdown

The full CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, scoring 9.8 Critical:

CVSS ComponentValueSignificance
Attack VectorNetwork (AV:N)Exploitable remotely over the internet
Attack ComplexityLow (AC:L)No specialized conditions required
Privileges RequiredNone (PR:N)No authentication needed to initiate the chain
User InteractionNone (UI:N)No victim action required
ScopeUnchanged (S:U)Impact confined to the vulnerable component
ConfidentialityHigh (C:H)Full database read access via SQLi
IntegrityHigh (I:H)Password reset enables account modification
AvailabilityHigh (A:H)Admin takeover enables site defacement or shutdown

The Exploitation Chain

The standalone exploitation of CVE-2026-5076 requires database read access. Two companion SQL injection vulnerabilities in the same plugin version provide exactly that:

CVE-2026-5073 (Unauthenticated SQLi, CVSS 7.5): An unauthenticated SQL injection via the order parameter of the arm_directory_paging_action AJAX action. The flaw stems from insufficient escaping on user supplied order and orderby parameters and a lack of proper query preparation in the arm_get_directory_members() function. An unauthenticated attacker can append additional SQL queries to extract arbitrary data from the database.

CVE-2026-5074 (Authenticated SQLi, Subscriber+): An authenticated SQL injection via the sSortDir_0 parameter of the get_private_content_data AJAX action. This requires at least Subscriber level access but still provides a database extraction pathway for low privileged users.

The chained attack proceeds in three discrete steps:

  1. Trigger the reset key creation. The attacker initiates a password reset for a target administrator account. This causes ARMember Premium to store the plaintext reset key in the arm_reset_password_key meta field in wp_usermeta.

  2. Extract the plaintext key via SQL injection. The attacker exploits CVE-2026-5073 (no authentication required) to perform SQL injection against the wp_usermeta table, reading the plaintext arm_reset_password_key value for the target administrator.

  3. Reset the administrator password. The attacker submits the extracted plaintext key to the plugin's custom armrp reset action, setting an arbitrary new password for the administrator account.

The result is complete, unauthenticated administrator account takeover with no user interaction required at any stage.

Why This Design Is Fundamentally Broken

This vulnerability illustrates a broader anti-pattern: a plugin undermining the security architecture of its host platform. WordPress core correctly hashes password reset keys precisely to prevent the scenario that CVE-2026-5076 enables. By storing a plaintext copy in a different table, ARMember Premium created a parallel authentication path that is weaker than the one it was meant to supplement. The plaintext key in wp_usermeta is reachable through any database read vulnerability, not just the specific SQL injection flaws documented here, making this a persistent architectural weakness rather than a simple implementation bug.

Patch Information

ARMember Premium version 7.3.2, released on April 18, 2026, addresses CVE-2026-5076. The Wordfence advisory explicitly confirms the remediation: "Update to version 7.3.2, or a newer patched version."

The fix eliminates the insecure pattern at the core of the vulnerability. Based on the vulnerability description and the CWE-287 classification, the patch removes or secures the plaintext storage of the reset key in the arm_reset_password_key meta field, ensuring the custom password reset flow no longer exposes a usable plaintext token in the database. Because ARMember Premium is a commercial plugin distributed through CodeCanyon, the source code changes are not publicly available in a diff format. However, Wordfence has verified the patch and confirmed the issue is resolved in 7.3.2.

The same version also addresses the companion SQL injection vulnerabilities:

CVETypeAuthentication RequiredPatch Version
CVE-2026-5076Insecure Password Reset / Improper Authentication (CVSS 9.8)None (when chained)7.3.2
CVE-2026-5073Unauthenticated SQL Injection via order parameter (CVSS 7.5)None7.3.2
CVE-2026-5074Authenticated SQL Injection via sSortDir_0 parameterSubscriber+7.3.2

Notably, the vendor's own changelog for version 7.3.2 lists only "Minor bug fixes," a common but concerning practice among WordPress plugin developers where critical security patches are silently shipped without explicit disclosure. This underscores why cross referencing authoritative sources like Wordfence Intelligence is essential for accurately assessing risk windows.

Post patch cleanup: Even after updating, administrators should review the wp_usermeta table for any lingering arm_reset_password_key entries. Any plaintext reset keys stored prior to the update should be considered potentially compromised and cleared. Newer releases (7.3, 7.4, and 7.5 series) are already available as of June 2026.

Affected Systems and Versions

Affected Product: ARMember Premium (WordPress plugin)

Affected Versions: All versions up to and including 7.3.1

Fixed Version: 7.3.2 (released April 18, 2026)

Companion Vulnerabilities (same affected version range):

  • CVE-2026-5073: ARMember Premium <= 7.3.1 (Unauthenticated SQL Injection)
  • CVE-2026-5074: ARMember Premium <= 7.3.1 (Authenticated SQL Injection)

Related (free variant):

  • CVE-2026-7649: ARMember (free) <= 4.0.60 (Time based Blind SQL Injection)

Any WordPress site running ARMember Premium version 7.3.1 or earlier is vulnerable. The chained exploitation scenario requires no authentication, no user interaction, and no special configuration beyond having the plugin installed and active.

Vendor Security History

ARMember has a documented pattern of recurring security vulnerabilities across both its free and premium variants, cataloged in the Wordfence Intelligence Vulnerability Database:

VulnerabilityPlugin Variant / VersionType
ARMember <= 3.4.11 Unauthenticated SQL InjectionFree, <= 3.4.11SQL Injection
ARMember <= 4.0.10 Authenticated (Subscriber+) SQL InjectionFree, <= 4.0.10SQL Injection
CVE-2026-7649 Time based Blind SQL InjectionFree, <= 4.0.60SQL Injection
CVE-2026-5073 Unauthenticated SQL Injection (order param)Premium, <= 7.3.1SQL Injection
CVE-2026-5074 Authenticated SQL Injection (sSortDir_0)Premium, <= 7.3.1SQL Injection
CVE-2026-5076 Insecure Password ResetPremium, <= 7.3.1Improper Authentication

The recurrence of SQL injection vulnerabilities across multiple versions and both plugin variants points to systemic deficiencies in input sanitization and query preparation practices within the codebase. The insecure password reset mechanism in CVE-2026-5076 further indicates gaps in secure cryptographic design review. Organizations relying on ARMember should consider this track record when evaluating long term plugin dependency and implement layered defenses including WAF rules, database monitoring for anomalous queries against wp_usermeta, and principle of least privilege configurations.

Security researcher h0xilo discovered and reported CVE-2026-5076 along with CVE-2026-5073, with coordinated disclosure through Wordfence enabling vendor patching before public disclosure on June 2, 2026.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization