What the vulnerability does
01Description
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.
Explanation of Vulnerability in Simple Terms
02Summary
Simple Membership versions 4.7.0 and earlier contain an issue that allows an attacker to read sensitive information and modify data on the site without authentication. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 4.7.0 to remediate the risk.
What an attacker can do
03Attacker Capabilities
Read sensitive information and modify data on the site without logging in.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter site data, potentially compromising member information and site integrity.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 8, 2026
Record updated