Executive Summary

CVE-2026-40726 is a Broken Access Control vulnerability in the WordPress User Registration Stripe Plugin versions 1.3.14 and below.

This flaw allows unauthenticated attackers to perform privileged actions because the plugin lacks proper authorization checks.

It is a high-severity issue with a CVSS score of 8.2 and is actively exploitable.

The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthenticated attackers to perform privileged actions on affected websites using the vulnerable plugin.

Because it is actively exploitable, it poses a significant risk of mass exploitation campaigns targeting thousands of websites.

The impact includes unauthorized access and potential manipulation of user registration processes, which can compromise the security and integrity of the affected site.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the vulnerability in the WordPress User Registration Stripe Plugin versions 1.3.14 and below, you should immediately update the plugin to version 1.3.15 or later.

If updating the plugin is not immediately possible, apply a Patchstack mitigation rule to reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a high-priority Broken Access Control flaw that allows unauthenticated attackers to perform privileged actions due to missing authorization checks.

Such unauthorized access can lead to exposure or manipulation of sensitive user data, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal information.

Therefore, if exploited, this vulnerability could compromise compliance with these common standards by violating principles of data confidentiality and integrity.

Useful 0 Not Useful 0