GHSA-6Q57-F535-3G3G
Vulnerability from github – Published: 2026-06-18 06:32 – Updated: 2026-06-18 06:32The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded webhook event containing a victim's subscription ID, setting the target member's account_state to 'inactive' and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails. This vulnerability is exploitable only on installations where no Stripe webhook signing secret has been configured, which is the default out-of-the-box state; sites that have configured the stripe-webhook-signing-secret option are routed to the properly verified HMAC path and are not affected.
{
"affected": [],
"aliases": [
"CVE-2026-12093"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-18T06:16:57Z",
"severity": "MODERATE"
},
"details": "The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded webhook event containing a victim\u0027s subscription ID, setting the target member\u0027s account_state to \u0027inactive\u0027 and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails. This vulnerability is exploitable only on installations where no Stripe webhook signing secret has been configured, which is the default out-of-the-box state; sites that have configured the stripe-webhook-signing-secret option are routed to the properly verified HMAC path and are not affected.",
"id": "GHSA-6q57-f535-3g3g",
"modified": "2026-06-18T06:32:21Z",
"published": "2026-06-18T06:32:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12093"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/classes/class.swpm-wp-loaded-tasks.php#L96"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/ipn/swpm-stripe-webhook-handler.php#L297"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/ipn/swpm-stripe-webhook-handler.php#L71"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.3/ipn/swpm_handle_subsc_ipn.php#L381"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/classes/class.swpm-wp-loaded-tasks.php#L96"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/ipn/swpm-stripe-webhook-handler.php#L297"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/ipn/swpm-stripe-webhook-handler.php#L71"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/tags/4.7.4/ipn/swpm_handle_subsc_ipn.php#L381"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3573852%40simple-membership\u0026new=3573852%40simple-membership\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f91a7c3-ee0e-48e9-aa5f-dfc1160bbc09?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.