CVE-2026-5076— ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation
Possible ATT&CK Techniques 3AI
T1552.004 · Private Keys T1078 · Valid Accounts T1136.003 · Cloud AccountAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| armember | ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | ≤ 7.3.1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-5076
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation
Source: NVD (National Vulnerability Database)
Vulnerability Description
The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| armember | ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | 0 ~ 7.3.1 | - |
II. Public POCs for CVE-2026-5076
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-5076
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-5076 (1)
Same Patch Batch · armember · 2026-06-02 · 3 CVEs total
| CVE-2026-5073 | 7.5 HIGH | ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection via 'order' Parameter |
| CVE-2026-5074 | 6.5 MEDIUM | ARMember Premium <= 7.3.1 - Authenticated (Subscriber+) SQL Injection via 'sSortDir_0' Par |
IV. Related Vulnerabilities
Same weakness: CWE-287
- CVE-2026-45289
CloudburstMC Protocol: Partially missing validation for FULL - CVE-2026-49448
authentik: SourceStage bypass via empty POST - CVE-2026-49443
authentik: `UserSourceConnection.user` and `GroupSourceConne - CVE-2026-10619
sayan365 student-management-system improper authentication - CVE-2026-10611
OTP bypass via plugin-based LDAP authentication in MISP when
V. Comments for CVE-2026-5076
No comments yet