CVE-2026-12093

June 18, 2026, 6:16 a.m.

5.3
Medium

Description

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded webhook event containing a victim's subscription ID, setting the target member's account_state to 'inactive' and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails. This vulnerability is exploitable only on installations where no Stripe webhook signing secret has been configured, which is the default out-of-the-box state; sites that have configured the stripe-webhook-signing-secret option are routed to the properly verified HMAC path and are not affected.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Simple Membership
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress simple_membership / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/classes/class.swpm-wp-loaded-tasks.php#L96
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/ipn/swpm-stripe-webhook-handler.php#L297
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/ipn/swpm-stripe-webhook-handler.php#L71
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/ipn/swpm_handle_subsc_ipn.php#L381
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/classes/class.swpm-wp-loaded-tasks.php#L96
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/ipn/swpm-stripe-webhook-handler.php#L297
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/ipn/swpm-stripe-webhook-handler.php#L71
https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/ipn/swpm_handle_subsc_ipn.php#L381
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3573852%40simple-membership&new=3573852%40simple-membership&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f91a7c3-ee0e-48e9-aa5f-dfc1160bbc09?source=cve

Tags

[email protected]
CWE-862
2026-06-18
CVE-2026-12093

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: June 18, 2026, 6:16 a.m.
Last Modified: June 18, 2026, 6:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.