Time-Based Blind SQL Injection in ARMember Membership Plugin for WordPress
CVE-2026-7649

7.5HIGH

Key Information:

Vendor: WordPress
Status: Armember – Membership Plugin, Content Restriction, Member Levels, User Profile & User Signup
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-7649?

The ARMember Membership Plugin for WordPress is susceptible to a time-based blind SQL injection flaw due to insufficient parameter escaping and inadequate SQL query preparation. Specifically, the vulnerability lies within the 'orderby' parameter across all versions up to 4.0.60. This weakness allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized access to sensitive data within the database.

Affected Version(s)

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup 0 <= 4.0.60

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/armember-membe...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
May 1, 2026

Credit

Yuvraj Tomar

CVE-2026-7649 Data

JSON