CVE-2026-4100

Name of the Vulnerable Software and Affected Versions Paid Memberships Pro versions prior to 3.6.6

Description The Paid Memberships Pro plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to modify or disrupt Stripe webhook configurations. This is caused by missing capability checks in the AJAX handlers wp ajax pmpro stripe create webhook(), wp ajax pmpro stripe delete webhook(), and wp ajax pmpro stripe rebuild webhook(). Exploitation can lead to the deletion, creation, or rebuilding of the site's Stripe webhook, which disrupts payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.

Recommendations Update to a version later than 3.6.5. As a temporary workaround, restrict access to the wp ajax pmpro stripe create webhook(), wp ajax pmpro stripe delete webhook(), and wp ajax pmpro stripe rebuild webhook() handlers.