CVE-2026-4100
Unauthorized Stripe Webhook Modification in Paid Memberships Pro
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stranger_studios | paid_memberships_pro | to 3.6.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Paid Memberships Pro plugin for WordPress has a vulnerability in all versions up to and including 3.6.5 that allows unauthorized modification and disruption of Stripe webhook configuration.
This happens because the plugin's AJAX handlers for creating, deleting, and rebuilding Stripe webhooks lack proper capability checks.
As a result, authenticated users with Subscriber-level access or higher can delete, create, or rebuild the site's Stripe webhook without proper authorization.
This vulnerability enables attackers to disrupt payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.
How can this vulnerability impact me? :
This vulnerability can severely impact your site's payment and subscription management.
- Attackers with low-level access can disrupt all payment processing by deleting or modifying Stripe webhooks.
- Subscription renewals may fail to synchronize properly, leading to service interruptions for paying members.
- Cancellation handling and failed payment management can be disrupted, potentially causing financial and customer service issues.
Overall, this can lead to loss of revenue, customer dissatisfaction, and operational disruptions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Paid Memberships Pro plugin to a version that includes the security improvements merged on March 13, 2026.
The security update adds authentication and nonce verification to the Stripe webhook AJAX handlers, requiring appropriate capabilities (PMPro payment settings or manage_options) before allowing create, delete, or rebuild actions on Stripe webhooks.
If updating immediately is not possible, restrict access to the AJAX handlers by limiting Subscriber-level user permissions or disabling the plugin temporarily to prevent unauthorized modification or disruption of Stripe webhook configurations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Subscriber-level access and above to modify or disrupt Stripe webhook configurations, which can interfere with payment processing, subscription renewals, cancellations, and failed payment management.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, disruption or unauthorized modification of payment processing systems could potentially lead to non-compliance with regulations that require secure handling of payment and personal data.
However, there is no direct information provided about specific impacts on compliance with GDPR, HIPAA, or other common standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized modification of Stripe webhook configurations via specific AJAX handlers in the Paid Memberships Pro WordPress plugin. Detection can focus on monitoring for unauthorized or suspicious AJAX requests to the endpoints associated with these handlers.
- Look for HTTP POST requests to admin-ajax.php with the action parameters: wp_ajax_pmpro_stripe_create_webhook, wp_ajax_pmpro_stripe_delete_webhook, or wp_ajax_pmpro_stripe_rebuild_webhook.
- Check for requests made by users with Subscriber-level access or above that should not normally perform webhook modifications.
Suggested commands to detect such activity include using web server logs or network monitoring tools to filter relevant requests. For example, using grep on Apache or Nginx logs:
- grep 'admin-ajax.php' /var/log/apache2/access.log | grep -E 'action=pmpro_stripe_create_webhook|action=pmpro_stripe_delete_webhook|action=pmpro_stripe_rebuild_webhook'
- Use tools like tcpdump or Wireshark to capture HTTP POST requests to admin-ajax.php and filter by the action parameters.
Additionally, reviewing WordPress user activity logs or audit logs for unexpected changes to Stripe webhook settings can help identify exploitation attempts.