Improper Value Handling in Simple Membership Plugin for WordPress
CVE-2026-1461

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Simple Membership
Vendor: CVE Published:; 19 February 2026

What is CVE-2026-1461?

The Simple Membership plugin for WordPress is susceptible to a vulnerability that involves improper handling of missing values, specifically in its Stripe webhook handler. All versions up to and including 4.7.0 are affected. The issue arises because the plugin only validates webhook signatures if a specific setting (stripe-webhook-signing-secret) is configured, which is empty by default. This creates an opportunity for unauthenticated attackers to forge webhook events, potentially enabling them to manipulate membership subscriptions. Such manipulation can lead to unauthorized reactivation of expired memberships without payment, or cancellation of legitimate subscriptions, which may disrupt services and grant unauthorized access.

Affected Version(s)

Simple Membership 0 <= 4.7.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-members...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Jan 27, 2026

Credit

Rafał

CVE-2026-1461 Data

JSON