Unauthorized Access Vulnerability in Paid Memberships Pro Plugin for WordPress
CVE-2026-4100

7.1HIGH

Key Information:

Vendor: WordPress
Status: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-4100?

The Paid Memberships Pro plugin for WordPress is susceptible to unauthorized modifications, allowing attackers with Subscriber-level access and above to manipulate the Stripe webhook settings. Specifically, these vulnerabilities stem from the absence of necessary capability checks in several AJAX handlers including wp_ajax_pmpro_stripe_create_webhook, wp_ajax_pmpro_stripe_delete_webhook, and wp_ajax_pmpro_stripe_rebuild_webhook. This oversight can lead to significant disruptions in payment processing, subscription management, and handling of failed transactions.

Affected Version(s)

Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions 0 <= 3.6.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/strangerstudios/paid-memberships-pro/p...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Jared Reyes

CVE-2026-4100 Data

JSON