CVE-2026-5074 in ARMember Premium Plugininformación

Resumen

por MITRE • 2026-06-03

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into the ORDER BY clause of an SQL query without a whitelist check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if the "User Private Content" addon is enabled, which is disabled by default..

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

Wordfence

Reservar

2026-03-28

Divulgación

2026-06-03

Moderación

aceptado

Artículo

VDB-368056

CPE

listo

EPSS

0.00026

KEV

no

Actividades

bajo

Sector

Hostingprovider

Fuentes

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-5074
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-5074
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-5074/

AnteriorVisión De ConjuntoPróximo

Do you need the next level of professionalism?

Upgrade your account now!