WordPress Plugin Vulnerabilities

Simple Membership < 4.7.5 - Unauthenticated Stored XSS via Stripe Webhook API Version

Description

The plugin does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.

Proof of Concept

Affects Plugins

Fixed in 4.7.5

References

Classification

Type
XSS
CWE
CVSS

Miscellaneous

Original Researcher
Duy Tran
Submitter
Duy Tran
Submitter website
Verified
Yes

Timeline

Publicly Published
2026-06-15 (about 21 days ago)
Added
2026-06-15 (about 20 days ago)
Last Updated
2026-07-03 (about 2 days ago)

Other