CVE-2026-1461 MEDIUM

CVE-2026-1461: Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values

Vendor Wpinsider-1
Product Simple Membership
Weakness CWE-230
Published February 19, 2026
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.

Explanation of Vulnerability in Simple Terms

02Summary

Simple Membership versions 4.7.0 and earlier contain an issue that allows an attacker to read sensitive information and modify data on the site without authentication. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 4.7.0 to remediate the risk.

What an attacker can do

03Attacker Capabilities

Read sensitive information and modify data on the site without logging in.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter site data, potentially compromising member information and site integrity.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 8, 2026 Record updated