Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Simple Membership for WordPress: Unauthenticated Access via Stripe Webhook
CVE-2026-1461
Summary
The Simple Membership plugin for WordPress has a security flaw that allows unauthorized access to membership subscriptions. Without proper configuration, an attacker can manipulate subscription status, causing expired memberships to be reactivated or legitimate ones to be canceled. Update the plugin to the latest version to fix this issue.
Original title
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin...
Original description
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.
nvd CVSS3.1
6.5
Vulnerability type
CWE-230
- https://plugins.trac.wordpress.org/browser/simple-membership/trunk/classes/class...
- https://plugins.trac.wordpress.org/browser/simple-membership/trunk/ipn/swpm-stri...
- https://plugins.trac.wordpress.org/changeset/3453404/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4df9a6-8f7d-428b-a59...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026