Description
The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded webhook event containing a victim's subscription ID, setting the target member's account_state to 'inactive' and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails. This vulnerability is exploitable only on installations where no Stripe webhook signing secret has been configured, which is the default out-of-the-box state; sites that have configured the stripe-webhook-signing-secret option are routed to the properly verified HMAC path and are not affected.
Published: 2026-06-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple Membership plugin for WordPress contains a missing authorization flaw that allows anyone to deactivate any member account by sending a forged Stripe "charge.refunded" webhook. When the webhook is received, the plugin sets the target account’s state to inactive, triggers cancellation hooks, updates transaction records, and sends notification emails. The vulnerability is a classic example of CWE‑862 and results in unauthorized account deactivation and potential interruption of service or subscription cancellations.

Affected Systems

All installations of the Simple Membership plugin from any version up to and including 4.7.5 running on WordPress are affected. The issue exists in the default configuration when no Stripe webhook signing secret has been set; configured sites are protected.

Risk and Exploitability

With a CVSS score of 5.3, the flaw poses a medium severity risk, but the EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog, indicating a low likelihood of exploitation. An attacker would need to send a crafted webhook to the site’s stripe webhook handler, and can succeed only if the site has not configured a webhook signing secret – a setting that is not set by default, making many sites vulnerable unless they explicitly configure it.

Generated by OpenCVE AI on June 18, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Membership plugin to the latest version (or at least 4.7.6) that includes proper authorization checks.
  • Configure a Stripe webhook signing secret in the plugin settings so that all incoming webhooks are HMAC‑verified and any forged requests are rejected.
  • Restrict access to the stripe webhook endpoint to legitimate traffic, for example by enabling authentication, using firewall rules, or restricting the endpoint to known IP ranges.

Generated by OpenCVE AI on June 18, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpinsider-1
Wpinsider-1 simple Membership
Vendors & Products Wordpress
Wordpress wordpress
Wpinsider-1
Wpinsider-1 simple Membership

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded webhook event containing a victim's subscription ID, setting the target member's account_state to 'inactive' and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails. This vulnerability is exploitable only on installations where no Stripe webhook signing secret has been configured, which is the default out-of-the-box state; sites that have configured the stripe-webhook-signing-secret option are routed to the properly verified HMAC path and are not affected.
Title Simple Membership <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation via Forged Stripe 'charge.refunded' Webhook
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Wordpress Wordpress
Wpinsider-1 Simple Membership
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T13:53:39.765Z

Reserved: 2026-06-12T14:07:59.651Z

Link: CVE-2026-12093

cve-icon Vulnrichment

Updated: 2026-06-18T13:22:04.866Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:45:03Z

Weaknesses