CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-5076 — The ARMember Premium plugin for WordPress is vulnerable to an insecure password ...

·Source: NIST NVD

Updated:

Executive Summary

The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. Th

Analysis

The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. CVSS Score: 9.8. Published: 2026-06-02T20:16:40.720.

Indicators of Compromise (3)

CVE (3)
CVE-2026-5073
NVDMITRE CVE
CVE-2026-5074
NVDMITRE CVE
CVE-2026-5076
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on Jun 2, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityNEW

Microsoft's Coreutils project brings Linux commands to Windows

Microsoft announced today at its Build 2026 developer conference the release of Coreutils for Windows, bringing many commonly used Linux command-line utilities to Windows as native applications. [...]

BleepingComputer
CRITICALVulnerability

Critical Kirki flaw exploited to hijack WordPress admin accounts

Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. [...]

CVE-2026-8206
BleepingComputer
LOWVulnerability

Zoom CISO: AI as Security Enabler, Not Role-Replacer

As Zoom's CISO, Sandra McLeod, discusses the challenges of securing a global communication platform, the promise of AI-driven security workflows, and advice for aspiring cybersecurity leaders.

Dark Reading