A vulnerability marked as critical has been reported in ARMember Premium Plugin up to 7.3.1 on WordPress. This affects the function arm_get_directory_members of the component AJAX Action Handler . The manipulation of the argument order/orderby leads to sql injection. This vulnerability is uniquely identified as CVE-2026-5073 . The attack is possible to be carried out remotely. No exploit exists.