WordPress Plugin Vulnerabilities

Simple Membership < 4.7.1 - Unauthenticated Improper Handling of Missing Values

Description

The plugin is vulnerable to Improper Handling of Missing Values via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.

Affects Plugins

Plugin icon
simple-membership
Fixed in 4.7.1

References

CVE
CVE-2026-1461
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4df9a6-8f7d-428b-a596-0751ca047169

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
0N0ise
Verified
No
WPVDB ID
e6d0338f-8735-4937-968b-6848f190802f

Timeline

Publicly Published
2026-02-18 (about 4 months ago)
Added
2026-02-19 (about 4 months ago)
Last Updated
2026-02-19 (about 4 months ago)

Other

Published
Title
Published
2024-12-15
Title
Poll Maker < 5.5.1 - Missing Authorization
Published
2025-04-02
Title
Shopify to WooCommerce Migration <= 1.3.0 - Missing Authorization to Unauthenticated Settings Update
Published
2023-11-07
Title
Ecwid Ecommerce Shopping Cart < 6.12.4 - Missing Authorization on multiple functions
Published
2026-01-23
Title
Wise Analytics < 1.1.20 - Missing Authorization to Unauthenticated Arbitrary Analytics Database Disclosure via 'name' Parameter
Published
2024-04-05
Title
Wholesale For WooCommerce < 2.3.1 - Unauthenticated Arbitrary Post Deletion