WordPress Security Bulletin: Simple Membership Plugin Vulnerability (CVE-2026-1461)

Security Alert Summary

The Simple Membership plugin for WordPress has a vulnerability in its Stripe webhook handling that can allow unauthenticated actors to submit forged webhook events when the plugin’s stripe-webhook-signing-secret setting is not configured. An attacker who exploits this issue may be able to alter membership subscription states (for example, reactivating expired memberships or canceling legitimate subscriptions), which can lead to unauthorized access to member-only content or disruption of subscription handling.

CVE Details

• CVE ID: CVE-2026-1461
• Affected component: Simple Membership plugin — Stripe webhook handler
• Affected versions: All versions up to, and including, 4.7.0
• Published: February 19, 2026 at 10:16:11 AM (time zone not specified)
• Last modified: February 19, 2026 at 03:52:39 PM (time zone not specified)
• CVSS v3.1: Base Score 6.5, Severity MEDIUM
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE
• CWE / Weakness: CWE-230

Technical Details

According to the CVE entry, the vulnerability is an improper handling of missing values in the Stripe webhook handler. The plugin validates webhook signatures only when the stripe-webhook-signing-secret setting is configured. That setting is empty by default, so signature validation is effectively skipped unless an administrator has explicitly provided the signing secret.

Because signature verification is conditional on a non-empty setting, an attacker can send forged Stripe webhook events that the handler will process without verifying authenticity. The CVE specifically describes manipulation of membership subscription state — for example, reactivating expired memberships without payment or canceling subscriptions. The repository references include the Stripe webhook handler implementation (for example, swpm-stripe-webhook-handler.php) where the conditional check occurs.

The impact described is limited to manipulation of subscription data and related membership state. The entry does not specify additional escalation paths or remote code execution vectors.

How This Could Impact Your Website

Consider a small membership site with multiple people involved: a site owner who manages billing settings, internal staff who administer content and users, and external contractors who contribute content but do not manage billing. If the Stripe signing secret is not configured, an unauthenticated actor could submit forged webhook events that change subscription status. Practical consequences include members regaining access without payment or legitimate subscribers being marked as canceled.

These changes can lead to unauthorized access to member-only materials and increase the risk of follow-on issues such as incorrect billing records or confusion among staff and subscribers. While the CVSS metrics indicate low confidentiality and integrity impacts and no availability impact, the alteration of subscription records can still cause administrative disruption and customer service workload.

professional review If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
• Ensure the Stripe webhook signing secret (stripe-webhook-signing-secret) is configured so that webhook signatures are validated.
• Review and reduce unnecessary user roles, especially contributor-level accounts and any roles that can affect billing or subscription settings.
• Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
• Remove unused or unmaintained plugins to reduce your attack surface.
• Monitor site activity and membership changes for unusual behavior (unexpected reactivations, cancellations, or billing inconsistencies).

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/simple-membership/trunk/classes/class.swpm-wp-loaded-tasks.php#L90
• https://plugins.trac.wordpress.org/browser/simple-membership/trunk/ipn/swpm-stripe-webhook-handler.php#L26
• https://plugins.trac.wordpress.org/changeset/3453404/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4df9a6-8f7d-428b-a596-0751ca047169?source=cve