Authorization Bypass in Simple Membership Plugin for WordPress
CVE-2026-12093

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Simple Membership
Vendor: CVE Published:; 18 June 2026

What is CVE-2026-12093?

The Simple Membership plugin for WordPress is susceptible to an authorization bypass flaw across all versions prior to and including 4.7.5. This vulnerability arises because the plugin inadequately ensures that a user has the necessary permissions to perform certain actions. Unauthenticated attackers can exploit this flaw to deactivate any member's account by replicating a charge.refunded webhook event that contains the victim's subscription ID. Consequently, this triggers the setting of the member's account state to 'inactive,' leading to executed cancellation hooks, changes to transaction record statuses, and the sending of cancellation notification emails. This vulnerability is primarily exploitable in installations that do not have the Stripe webhook signing secret configured, which is the default state for new installations; those that have configured the signing secret are directed to the HMAC verification process and remain unaffected.

Affected Version(s)

Simple Membership 0 <= 4.7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-members...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

Nikita Fenko

CVE-2026-12093 Data

JSON