CVE-2026-12093: CWE-862 Missing Authorization in wpinsider-1 Simple Membership
The Simple Membership plugin for WordPress contains an authorization bypass vulnerability in all versions up to and including 4.7.5. This flaw allows unauthenticated attackers to deactivate arbitrary member accounts by forging a Stripe charge.refunded webhook event with a victim's subscription ID. The vulnerability only affects installations that have not configured the Stripe webhook signing secret, which is the default setting. Sites with the stripe-webhook-signing-secret option configured are not vulnerable.
AI Analysis
Technical Summary
CVE-2026-12093 is an authorization bypass vulnerability (CWE-862) in the Simple Membership WordPress plugin (wpinsider-1). The plugin fails to properly verify user authorization when processing Stripe webhook events. Specifically, attackers can forge a charge.refunded webhook event containing a victim's subscription ID, causing the plugin to set the member's account_state to 'inactive' and trigger cancellation hooks and notifications. This vulnerability affects all versions up to and including 4.7.5 but only when the Stripe webhook signing secret is not configured, which is the default out-of-the-box state. Configuring the stripe-webhook-signing-secret option routes webhook processing through a verified HMAC path, mitigating the issue.
Potential Impact
An unauthenticated attacker can deactivate arbitrary member accounts by exploiting this vulnerability, causing denial of service to those members. The impact is limited to account deactivation and triggering of cancellation-related processes and notifications. There is no direct confidentiality or availability impact beyond account deactivation. The vulnerability requires the absence of a configured Stripe webhook signing secret to be exploitable.
Mitigation Recommendations
There is no official patch or fix currently confirmed. However, the vulnerability is mitigated if the Stripe webhook signing secret is configured in the plugin settings. Site administrators should immediately configure the stripe-webhook-signing-secret option to enable webhook signature verification, which prevents unauthorized webhook event processing. Check the vendor advisory or plugin updates regularly for any official fixes or patches.
CVE-2026-12093: CWE-862 Missing Authorization in wpinsider-1 Simple Membership
Description
The Simple Membership plugin for WordPress contains an authorization bypass vulnerability in all versions up to and including 4.7.5. This flaw allows unauthenticated attackers to deactivate arbitrary member accounts by forging a Stripe charge.refunded webhook event with a victim's subscription ID. The vulnerability only affects installations that have not configured the Stripe webhook signing secret, which is the default setting. Sites with the stripe-webhook-signing-secret option configured are not vulnerable.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12093 is an authorization bypass vulnerability (CWE-862) in the Simple Membership WordPress plugin (wpinsider-1). The plugin fails to properly verify user authorization when processing Stripe webhook events. Specifically, attackers can forge a charge.refunded webhook event containing a victim's subscription ID, causing the plugin to set the member's account_state to 'inactive' and trigger cancellation hooks and notifications. This vulnerability affects all versions up to and including 4.7.5 but only when the Stripe webhook signing secret is not configured, which is the default out-of-the-box state. Configuring the stripe-webhook-signing-secret option routes webhook processing through a verified HMAC path, mitigating the issue.
Potential Impact
An unauthenticated attacker can deactivate arbitrary member accounts by exploiting this vulnerability, causing denial of service to those members. The impact is limited to account deactivation and triggering of cancellation-related processes and notifications. There is no direct confidentiality or availability impact beyond account deactivation. The vulnerability requires the absence of a configured Stripe webhook signing secret to be exploitable.
Mitigation Recommendations
There is no official patch or fix currently confirmed. However, the vulnerability is mitigated if the Stripe webhook signing secret is configured in the plugin settings. Site administrators should immediately configure the stripe-webhook-signing-secret option to enable webhook signature verification, which prevents unauthorized webhook event processing. Check the vendor advisory or plugin updates regularly for any official fixes or patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-06-12T14:07:59.651Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a33875bf198dc38c1370f13
Added to database: 6/18/2026, 5:51:23 AM
Last enriched: 6/18/2026, 6:05:30 AM
Last updated: 6/18/2026, 7:18:01 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.