PT-2026-55866 · WordPress · Simple Membership

Duy Tran

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-11855

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Simple Membership WordPress plugin versions prior to 4.7.5
Description Insufficient verification of Stripe webhook requests occurs when no signing secret is configured. Additionally, the plugin fails to escape values retrieved from these requests before displaying them in administrator notices. This allows unauthenticated attackers to perform a Cross-Site Scripting (XSS) attack—injecting arbitrary web scripts that execute within the session of a logged-in administrator.
Recommendations Update Simple Membership WordPress plugin to version 4.7.5 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-11855

Affected Products

Simple Membership