CVE Catalog

CVE-2026-27060

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Summary

The ARMember Premium plugin version 7.0 and earlier contains a PHP Object Injection vulnerability exploitable by contributors. An attacker with contributor privileges can inject a malicious PHP object, potentially leading to remote code execution.

Risk Assessment

The risk involves a contributor-level user gaining control over the WordPress site, which could lead to data theft, content modification, or further propagation of the attack.

Recommendation

Immediately update the ARMember Premium plugin to the latest available version that addresses this vulnerability. If an update is not possible, consider restricting contributor privileges or temporarily disabling the plugin.

Original NVD description (English source)

Contributor PHP Object Injection in ARMember Premium <= 7.0 versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS