If your website charges for memberships, restricts content to paying users, or stores any kind of user profile data — and you use WordPress — there's a chance a stranger on the internet is quietly reading your entire member database right now, without ever logging in.
Who Is at Risk and How Big Is This Problem?
The vulnerability lives inside ARMember, a widely used WordPress plugin that lets site owners build subscription services, gated content areas, and member communities. The plugin has been downloaded hundreds of thousands of times and powers everything from independent news sites and online course platforms to gym portals and professional associations. Every installation running version 4.0.60 or earlier is affected — which, given the typical lag in plugin updates across the WordPress ecosystem, likely means tens of thousands of live sites today.
The people whose data is at risk aren't just website administrators. They're the members — paying subscribers, registered users, students, customers — anyone who ever typed their name, email address, or payment information into a form on one of these sites. Stolen membership databases are highly valuable commodities on criminal forums: they fuel credential-stuffing attacks, targeted phishing campaigns, and identity theft. For a small business, a breach like this can mean regulatory fines, member lawsuits, and permanent reputational damage.
What an Attacker Actually Does (In Plain English)
Imagine your membership website as a librarian who takes requests. You walk up and say, "Please bring me all the articles tagged 'featured,' sorted by date." The librarian dutifully goes to the back room and retrieves exactly that. Now imagine someone discovered that this particular librarian follows instructions too literally — if you smuggle a second, secret instruction into your request, the librarian will carry that one out too, without asking any questions. That's essentially what's happening here. The plugin has a sorting control — a dropdown or URL parameter that tells it how to order search results — and it passes whatever value it receives directly into a database command without properly checking or cleaning it first.
An attacker doesn't need an account, a password, or any inside knowledge of your site. They simply craft a malicious web request — something they can do from a laptop in a coffee shop — and send it to your site's address. The plugin dutifully hands that instruction to your database, which then leaks information back through a technique called time-based blind injection: by measuring tiny differences in how long your server takes to respond, the attacker can reconstruct data one character at a time. It's painstaking, but it's fully automated with freely available tools, and it works.
What can they extract? Usernames. Email addresses. Hashed passwords (which can often be cracked). Billing details stored in the database. Session tokens. Essentially the entire contents of your WordPress database — including the hidden tables that store your site's admin credentials. Once an attacker has those, they don't just have your member list. They have the keys to your entire website.
The Technical Detail Security Teams Need to Know
The vulnerability is a time-based blind SQL injection in the orderby parameter, present across all request types handled by ARMember's member listing and filtering functionality. Because the parameter is neither properly escaped nor passed through a prepared statement before being interpolated into the SQL query, an unauthenticated attacker can append arbitrary SQL logic using techniques such as conditional SLEEP() calls or heavy query stacking. The flaw is tracked as CVE-2026-7649 and carries a CVSS score of 7.5 (HIGH). The unauthenticated attack vector is what elevates this from a nuisance to a serious incident-response priority — there is no pre-exploitation barrier whatsoever.
Has This Been Used in the Wild?
As of publication, no confirmed active exploitation has been reported. There are no known victim campaigns, no proof-of-concept exploit code circulating publicly, and no threat actor groups have been observed targeting this specific flaw. That's the good news. The less reassuring reality is that the window between a vulnerability disclosure and the first automated scanner sweeping the entire internet for vulnerable installations is often measured in hours, not days. The WordPress plugin ecosystem is a well-known target for mass-exploitation campaigns precisely because update rates are low and the attack surface is enormous. Security teams should treat "no active exploitation confirmed" as a reason to move fast — not a reason to wait.
What You Should Do Right Now
1. Update ARMember to Version 4.0.61 or Later — Immediately
Log into your WordPress dashboard, navigate to Plugins → Installed Plugins, and look for ARMember. If you see a version number of 4.0.60 or below, click "Update Now." The patched version addresses the escaping and query preparation failures at the root of this flaw. If automatic updates are not enabled for this plugin, enable them now. If you manage multiple WordPress sites — even for clients — check every single one. Do not assume someone else has done it.
2. Audit Your Recent Database Access Logs for Suspicious Query Patterns
If you have access to your server's database logs or a web application firewall, look for unusual HTTP requests to your site that contain SQL keywords — things like SLEEP, BENCHMARK, UNION SELECT, or long strings of encoded characters in the URL, particularly in parameters related to sorting or ordering. Your hosting provider or a plugin like Wordfence or Sucuri can help surface these patterns. If you find suspicious activity, assume a breach occurred and treat it as a full incident: notify affected members, reset all admin passwords, and consider engaging a security professional.
3. Force a Password Reset for All Members and Rotate Your Admin Credentials
Even if you see no evidence of exploitation, this is good hygiene if your site has not been updated promptly. Go to Users → All Users in your WordPress dashboard and use a bulk password-reset tool (Wordfence includes one, as do several dedicated plugins) to force all members to choose new passwords on next login. Change your own WordPress admin password immediately, and if you reuse that password anywhere else — email, hosting panel, payment processor — change it there too. Enable two-factor authentication on your admin account if you haven't already.
The Bottom Line
CVE-2026-7649 is a textbook example of a vulnerability class that the security community has understood for over two decades — SQL injection — still appearing in widely deployed software in 2025. The ARMember team has issued a fix, and the path forward is straightforward: update, audit, and rotate credentials. The sites that get hurt in the coming weeks will almost certainly be the ones that delayed. Don't be one of them.