CVE-2026-12093
Received Received - Intake
Authorization Bypass in Simple Membership Plugin

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description
The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded webhook event containing a victim's subscription ID, setting the target member's account_state to 'inactive' and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails. This vulnerability is exploitable only on installations where no Stripe webhook signing secret has been configured, which is the default out-of-the-box state; sites that have configured the stripe-webhook-signing-secret option are routed to the properly verified HMAC path and are not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-12093
EUVD
EUVD-2026-37847
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wp-simple-membership simple_membership to 4.7.5 (inc)
simple_membership plugin to 4.7.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Simple Membership plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 4.7.5. This happens because the plugin does not properly verify whether a user is authorized to perform certain actions.

An unauthenticated attacker can exploit this by forging a charge.refunded webhook event containing a victim's subscription ID. This allows the attacker to deactivate arbitrary member accounts by setting the target member's account state to 'inactive' and triggering related cancellation hooks, transaction status changes, and notification emails.

This vulnerability only affects installations where no Stripe webhook signing secret has been configured, which is the default setting. Sites that have configured the stripe-webhook-signing-secret option are protected by proper HMAC verification and are not vulnerable.

Impact Analysis

This vulnerability allows unauthenticated attackers to deactivate member accounts without authorization.

  • Attackers can cause legitimate user accounts to become inactive, disrupting access to services.
  • It can trigger cancellation hooks and transaction status changes, potentially affecting billing and membership records.
  • Affected users may receive cancellation notification emails, causing confusion and potential loss of trust.

Overall, this can lead to service disruption for members and administrative overhead to restore affected accounts.

Mitigation Strategies

To mitigate this vulnerability, you should configure the stripe-webhook-signing-secret option in the Simple Membership plugin settings. This enables verification of Stripe webhook events using HMAC, preventing unauthorized deactivation of member accounts.

Additionally, updating the Simple Membership plugin to a version later than 4.7.5, if available, will also address this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12093. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart