PT-2026-20777 · WordPress+1 · Simple Membership+1
Rafał
·
Published
2026-02-19
·
Updated
2026-02-19
·
CVE-2026-1461
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Simple Membership plugin for WordPress versions prior to 4.7.1
Description
The Simple Membership plugin for WordPress is susceptible to an issue involving improper handling of missing values in the Stripe webhook handler. The plugin only validates webhook signatures when the
stripe-webhook-signing-secret setting is configured, which is empty by default. This allows unauthenticated attackers to forge Stripe webhook events. Successful exploitation can lead to manipulation of membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially resulting in unauthorized access and service disruption.Recommendations
Update the Simple Membership plugin to version 4.7.1 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simple Membership
Stripe