CVE-2026-5076

CRITICAL

ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-5076. PoCs published by shootcannon, zycoder0day.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-5076, targeting ARMember Premium versions <= 7.3.1. The exploit leverages SQL injection to extract admin credentials and trigger password resets, demonstrating the vulnerability's impact.

Description

The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators.

Exploits (2)

github WORKING POC

by shootcannon · pythonpoc

https://github.com/shootcannon/CVE-2026-5076

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-5076, targeting ARMember Premium versions <= 7.3.1. The exploit leverages SQL injection to extract admin credentials and trigger password resets, demonstrating the vulnerability's impact.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: ARMember Premium <= 7.3.1

No auth needed

Prerequisites: Target must be running ARMember Premium <= 7.3.1 · SQL injection vulnerability must be present

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 05, 2026 Full analysis →

github WRITEUP

by zycoder0day · poc

https://github.com/zycoder0day/CVE-2026-5076

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-5076, an insecure password reset mechanism in ARMember Premium <= 7.3.1, including root cause analysis, SQL injection vectors, and an attack chain roadmap.

Classification

Writeup 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: ARMember Premium <= 7.3.1

No auth needed

Prerequisites: ARMember Premium <= 7.3.1 installed · Access to a directory page with arm_directory_form_container

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Jun 04, 2026 Full analysis →

References (2)

Core 2

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/6b15eca5-fd47-4f8f-8ade-3a90e0bfc110?source=cve

https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-287

Status published

Products (1)

armember/ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup < 7.3.1

Published Jun 02, 2026

Tracked Since Jun 03, 2026