PT-2026-20777 · WordPress+1 · Simple Membership+1
Rafał
·
Publicado
2026-02-19
·
Atualizado
2026-02-19
·
CVE-2026-1461
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Simple Membership plugin for WordPress versions prior to 4.7.1
Description
The Simple Membership plugin for WordPress is susceptible to an issue involving improper handling of missing values in the Stripe webhook handler. The plugin only validates webhook signatures when the
stripe-webhook-signing-secret setting is configured, which is empty by default. This allows unauthenticated attackers to forge Stripe webhook events. Successful exploitation can lead to manipulation of membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially resulting in unauthorized access and service disruption.Recommendations
Update the Simple Membership plugin to version 4.7.1 or later.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Simple Membership
Stripe