CVE-2026-7649

Name of the Vulnerable Software and Affected Versions ARMember – Membership Plugin versions prior to 4.0.61

Description The ARMember – Membership Plugin for WordPress is susceptible to time-based blind SQL Injection, a technique where an attacker asks the database true/false questions and determines the answer based on the time the server takes to respond. This occurs due to insufficient escaping of user-supplied parameters and a lack of proper preparation of the SQL query. Unauthenticated attackers can append additional SQL queries via the orderby parameter to extract sensitive information from the database.

Recommendations Update the plugin to a version later than 4.0.60. As a temporary workaround, restrict or sanitize the input for the orderby parameter to minimize the risk of exploitation.