Yuvraj Tomar

**Name of the Vulnerable Software and Affected Versions** ARMember – Membership Plugin versions prior to 4.0.61 **Description** The ARMember – Membership Plugin for WordPress is susceptible to time-based blind SQL Injection, a technique where an attacker asks the database true/false questions and determines the answer based on the time the server takes to respond. This occurs due to insufficient escaping of user-supplied parameters and a lack of proper preparation of the SQL query. Unauthenticated attackers can append additional SQL queries via the `orderby` parameter to extract sensitive information from the database. **Recommendations** Update the plugin to a version later than 4.0.60. As a temporary workaround, restrict or sanitize the input for the `orderby` parameter to minimize the risk of exploitation.