CVE-2026-12093

EUVD-2026-37847
The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded webhook event containing a victim's subscription ID, setting the target member's account_state to 'inactive' and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails. This vulnerability is exploitable only on installations where no Stripe webhook signing secret has been configured, which is the default out-of-the-box state; sites that have configured the stripe-webhook-signing-secret option are routed to the properly verified HMAC path and are not affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/classes/class.swpm-wp-loaded-tasks.php#L96
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/ipn/swpm-stripe-webhook-handler.php#L297
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/ipn/swpm-stripe-webhook-handler.php#L71
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/ipn/swpm_handle_subsc_ipn.php#L381
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/classes/class.swpm-wp-loaded-tasks.php#L96
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/ipn/swpm-stripe-webhook-handler.php#L297
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/ipn/swpm-stripe-webhook-handler.php#L71
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/ipn/swpm_handle_subsc_ipn.php#L381
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3573852%40simple-membership&new=3573852%40simple-membership&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f91a7c3-ee0e-48e9-aa5f-dfc1160bbc09?source=cve