A critical authentication flaw (CVSS 9.8) in the ARMember Premium WordPress plugin stores plaintext password reset keys in user meta, allowing unauthenticated account takeover when chained with a database read primitive.
What Is It
CVE-2026-5076 is an insecure password reset mechanism (CWE-287) in the ARMember Premium plugin for WordPress, affecting all versions up to and including 7.3.1. When a user requests a password reset, the plugin writes a plaintext copy of the reset key into the arm_reset_password_key user meta field; alongside the hashed key that WordPress core securely stores in wp_users.user_activation_key. That plaintext key can then be replayed against the plugin's custom armrp reset action to set a new password for any account.
The flaw carries a CVSS 3.1 base score of 9.8 (Critical), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, no privileges, no user interaction, and full impact across confidentiality, integrity, and availability.
Why It Matters
On its own, the bug requires an attacker to read the wp_usermeta table. Combined with a SQL injection primitive, Wordfence explicitly cites CVE-2026-5073 and CVE-2026-5074 in the same plugin, unauthenticated attackers can extract the plaintext reset key for any user and take over the account, including administrators. Full administrator takeover on a WordPress site typically means arbitrary PHP execution and persistence, making any vulnerable ARMember deployment a near-total compromise risk.
ARMember Premium is a commercial membership plugin sold through CodeCanyon and is commonly deployed on monetized membership, community, and subscription sites; exactly the targets where account takeover translates directly into payment data and member PII exposure.
What's Vulnerable
- Product: ARMember Premium plugin for WordPress
- Affected versions: All versions up to and including 7.3.1
- Weakness: CWE-287 (Improper Authentication)
- Root cause: Plaintext reset key written to
arm_reset_password_keyuser meta and accepted by the plugin'sarmrpreset action
The supplied NVD record does not list specific CPE entries, and there is no CISA KEV entry for this CVE, active in-the-wild exploitation has not been confirmed by KEV at the time of publication.
Patch Status
The supplied source material does not name a fixed version. The disclosure covers "all versions up to, and including, 7.3.1," and operators should consult the Wordfence advisory and the CodeCanyon product page for the patched release and upgrade guidance.