ARMember Premium Insecure Password Reset Vulnerability Allowing Unauthenticated Privilege Escalation

A vulnerability exists in the ARMember Premium plugin for WordPress, in all versions through 7.3.1, due to an insecure password reset mechanism. When a user requests a password reset, the plugin saves a plaintext copy of the reset key in the 'arm_reset_password_key' user meta field, alongside the hashed key that WordPress core securely stores. This plaintext key can be used with the plugin's custom 'armrp' reset action to change the password for any user. This vulnerability allows unauthenticated attackers to extract the plaintext reset key and take over any user account, including those of administrators, especially when combined with other vulnerabilities like SQL Injection.

Impact

Exploitation of this vulnerability could lead to unauthorized password resets and account takeovers, including administrative accounts.

Remediation

Users are advised to update to version 7.3.2 or a newer patched version.