What the vulnerability does
01Description
The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.
Explanation of Vulnerability in Simple Terms
02Summary
ARMember Premium contains an authentication bypass vulnerability affecting versions up to 7.3.1. An attacker can gain unauthorized access to the plugin without valid credentials, potentially compromising member data, content restrictions, and user profiles. The vulnerability requires no user interaction and can be exploited remotely. Site administrators should update immediately to a patched version.
What an attacker can do
03Attacker Capabilities
Bypass authentication and gain unauthorized access to the plugin without valid credentials.
Potential impact on your site
04Site Impact
Attackers can access member data, bypass content restrictions, and compromise user accounts and profiles.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 2, 2026
CVE published
June 2, 2026
Record updated