High severity7.5NVD Advisory· Published Jun 2, 2026· Updated Jun 2, 2026
CVE-2026-5073
CVE-2026-5073
Description
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the arm_get_directory_members() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected products
1- Range: <=7.3.1
Patches
Vulnerability mechanics
References
2News mentions
2- Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)Wordfence Blog · Jun 11, 2026
- WordPress: 25 Plugin and Theme Vulnerabilities Disclosed in Single BatchVypr Intelligence · Jun 3, 2026