Directory Traversal Vulnerability in ARMember Plugin for WordPress
CVE-2026-15302
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15302?
The ARMember plugin for WordPress is affected by a directory traversal vulnerability that impacts all versions up to and including 4.0.27. This issue arises from improper validation of the 'X-FILENAME' HTTP header, which allows unauthenticated attackers to manipulate file uploads. As a result, attackers could upload and overwrite files, such as CSS files, to directories outside of the designated 'wp-content/uploads/armember' directory. This could lead to unauthorized access and potential exploitation of the affected system.
Affected Version(s)
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup 0 <= 4.0.27