ARMember WordPress Plugin Vulnerable to Time-Based Blind SQL Injection (CVE-2026-7649)

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is susceptible to time-based blind SQL injection. This vulnerability, identified as CVE-2026-7649, affects all versions up to and including 4.0.60. The root cause lies in the inadequate escaping of the user-supplied ‘orderby’ parameter and the lack of sufficient preparation in the existing SQL query. An unauthenticated attacker can exploit this weakness by injecting malicious SQL queries, potentially leading to the extraction of sensitive information directly from the WordPress database. This presents a significant risk, as it could expose user credentials, personal data, and other confidential information stored within the database, impacting the confidentiality and integrity of the WordPress installation.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using the vulnerable ARMember plugin (version <= 4.0.60).
2. The attacker crafts a malicious HTTP request targeting a page that uses the vulnerable ‘orderby’ parameter.
3. The attacker injects SQL code into the ‘orderby’ parameter of the HTTP GET or POST request. This code is designed to exploit the time-based blind SQL injection vulnerability.
4. The ARMember plugin processes the request without properly sanitizing the ‘orderby’ parameter, allowing the injected SQL code to be executed within the database query.
5. The injected SQL code uses time-delay functions (e.g., SLEEP()) to determine the truthiness of conditions. Based on the response time, the attacker infers whether the injected SQL code is evaluating to true or false.
6. The attacker iteratively refines the injected SQL code to extract sensitive data, such as table names, column names, and data values, character by character, through observing the time delays.
7. The attacker dumps sensitive information from the database.
8. The attacker uses the extracted credentials to gain administrative access to the WordPress site.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. This includes user credentials (usernames, email addresses, and password hashes), personal data, and potentially other confidential information stored within the database. The impact could range from unauthorized access to user accounts to complete compromise of the WordPress site and its underlying data. The number of affected sites depends on the prevalence of the ARMember plugin, but given its popularity, the potential impact is widespread.

Recommendation

• Apply the latest security patches provided by the ARMember plugin developers immediately to remediate CVE-2026-7649 on all WordPress installations using the plugin.
• Deploy the Sigma rule “Detect ARMember SQL Injection Attempt via Orderby Parameter” to your SIEM to detect exploitation attempts against this vulnerability.
• Monitor web server logs for suspicious requests containing SQL syntax in the ‘orderby’ parameter to identify potential exploitation attempts (log source: webserver).
• Implement and enforce strict input validation and sanitization for all user-supplied parameters, especially those used in database queries, to prevent SQL injection vulnerabilities.