Improper Value Handling in Simple Membership Plugin for WordPress

CVE-2026-1461

What is CVE-2026-1461?

The Simple Membership plugin for WordPress is susceptible to a vulnerability that involves improper handling of missing values, specifically in its Stripe webhook handler. All versions up to and including 4.7.0 are affected. The issue arises because the plugin only validates webhook signatures if a specific setting (stripe-webhook-signing-secret) is configured, which is empty by default. This creates an opportunity for unauthenticated attackers to forge webhook events, potentially enabling them to manipulate membership subscriptions. Such manipulation can lead to unauthorized reactivation of expired memberships without payment, or cancellation of legitimate subscriptions, which may disrupt services and grant unauthorized access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References