What the vulnerability does
01Description
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into the ORDER BY clause of an SQL query without a whitelist check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if the "User Private Content" addon is enabled, which is disabled by default..
Explanation of Vulnerability in Simple Terms
02Summary
ARMember Premium contains a SQL injection vulnerability in versions up to 7.3.1. An authenticated user with low privileges can craft malicious input to query the database directly, potentially reading sensitive data including user credentials and membership information. The vulnerability requires valid login credentials but no additional user interaction.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site database, including user credentials and membership records.
Potential impact on your site
04Site Impact
User data, passwords, and membership details may be exposed to any authenticated user, even those with minimal permissions.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges on the site.
Key dates
06Disclosure timeline
June 2, 2026
CVE published
June 2, 2026
Record updated
