CVE-2026-1461 - Vulnerability Details

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/simple-membership/trunk/classes/class.swpm-wp-loaded-tasks.php#L90
https://plugins.trac.wordpress.org/browser/simple-membership/trunk/ipn/swpm-stripe-webhook-handler.php#L26
https://plugins.trac.wordpress.org/changeset/3453404/
https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4df9a6-8f7d-428b-a596-0751ca047169?source=cve

History

Thu, 19 Feb 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.
Title		Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values
Weaknesses		CWE-230
References		https://plugins.trac.wordpress.org/browser/simple-membership/trunk/classes/class.swpm-wp-loaded-tasks.php#L90 https://plugins.trac.wordpress.org/browser/simple-membership/trunk/ipn/swpm-stripe-webhook-handler.php#L26 https://plugins.trac.wordpress.org/changeset/3453404/ https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4df9a6-8f7d-428b-a596-0751ca047169?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-19T09:26:34.833Z

Updated: 2026-02-19T09:26:34.833Z

Reserved: 2026-01-27T02:01:14.522Z

Link: CVE-2026-1461

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object