A time-based blind SQL Injection vulnerability exists in the ARMember WordPress plugin (<= 4.0.60) due to insufficient input sanitization of the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive database information.
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin <= 4.0.60
sql-injection
wordpress
armember
cve-2026-7649
2r
1t
1c