CVE-2026-12093: Simple Membership Auth Bypass Vulnerability

CVE-2026-12093 Overview

The Simple Membership plugin for WordPress contains an authorization bypass vulnerability affecting all versions up to and including 4.7.5. The plugin fails to verify that a request is authorized before processing Stripe webhook events. Unauthenticated attackers can forge a charge.refunded webhook event containing a victim's subscription ID. This action sets the target member's account_state to inactive, triggers cancellation hooks, alters transaction-record status, and sends cancellation notification emails. The flaw is exploitable only on installations where no Stripe webhook signing secret is configured, which is the default out-of-the-box state. The vulnerability is tracked under CWE-862: Missing Authorization.

Critical Impact
Unauthenticated attackers can deactivate arbitrary member accounts on WordPress sites running default Simple Membership configurations, disrupting access to paid content and triggering unwanted cancellation workflows.

Affected Products

Simple Membership plugin for WordPress, versions up to and including 4.7.5
WordPress sites running the plugin without a configured stripe-webhook-signing-secret
Membership sites relying on Stripe subscription integrations via Simple Membership

Discovery Timeline

2026-06-18 - CVE CVE-2026-12093 published to NVD
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-12093

Vulnerability Analysis

The Simple Membership plugin exposes a Stripe webhook endpoint to process subscription lifecycle events. When the stripe-webhook-signing-secret option is not configured, the handler accepts inbound webhook payloads without performing HMAC signature verification. This unauthenticated code path treats forged events as legitimate Stripe notifications.

An attacker who knows or guesses a victim's Stripe subscription ID can craft a fake charge.refunded event and submit it to the public webhook URL. The plugin then executes the full refund-handling logic against the targeted member account. Resulting actions include setting account_state to inactive, firing internal cancellation hooks, updating transaction records, and dispatching cancellation emails to the victim.

Root Cause

The root cause is a missing authorization check ([CWE-862]) on the Stripe webhook handler. When no signing secret is configured, the code falls through to an unverified path rather than rejecting the request. Properly configured installations are routed through the verified HMAC path and remain unaffected. Relevant code paths include swpm-stripe-webhook-handler.php and swpm_handle_subsc_ipn.php referenced in the WordPress Plugin Webhook Handler source.

Attack Vector

Exploitation requires network access to the WordPress site's webhook endpoint and knowledge of a target's Stripe subscription identifier. The attacker submits a forged JSON payload mimicking a charge.refunded event with the victim's subscription ID embedded in the event object. No authentication or user interaction is required. The vulnerability impacts integrity by altering account state, but does not directly expose confidential data or crash the service.

No verified public exploit code is available. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2026-12093

Indicators of Compromise

Unexpected charge.refunded events appearing in the Simple Membership transaction log without corresponding Stripe dashboard activity.
Member accounts transitioning to inactiveaccount_state without administrator action or legitimate refund records.
Outbound cancellation notification emails sent to members who did not request a refund or cancellation.
Inbound HTTP POST requests to the plugin's Stripe webhook endpoint originating from IP ranges outside Stripe's published webhook source list.

Detection Strategies

Review web server access logs for POST requests to the Simple Membership Stripe webhook URL and correlate them with Stripe's official webhook event IDs.
Audit the WordPress swpm_members table for account_state changes and cross-reference with administrator activity logs.
Monitor outbound mail queues for spikes in cancellation notification emails from the plugin.

Monitoring Recommendations

Enable detailed logging on the WordPress site's webhook endpoint, including raw request headers and bodies.
Configure alerts for any bulk account_state modifications within Simple Membership.
Compare Stripe dashboard refund events to plugin-recorded refund events on a recurring schedule.

How to Mitigate CVE-2026-12093

Immediate Actions Required

Configure the stripe-webhook-signing-secret option in Simple Membership using the signing secret provided by the Stripe dashboard, which routes traffic to the verified HMAC path.
Update Simple Membership to a version newer than 4.7.5 once the vendor releases a fix that enforces verification regardless of configuration.
Audit recent transaction logs and restore any member accounts that were incorrectly deactivated.
Restrict access to the webhook endpoint at the web server or WAF layer to known Stripe IP ranges.

Patch Information

At the time of publication, the NVD entry lists affected versions up to and including 4.7.5. Administrators should monitor the WordPress Plugin Changeset and the Wordfence Vulnerability Report for the fixed release version and apply the patch as soon as it is available.

Workarounds

Set the Stripe webhook signing secret in plugin settings to force all webhook events through the HMAC-verified handler path.
Restrict the webhook endpoint via WAF or web server rules to Stripe's published IP ranges until a patched plugin version is installed.
Temporarily disable the Stripe integration in Simple Membership if signing secret configuration is not feasible.

bash

# Configuration example - set the Stripe webhook signing secret via WP-CLI
wp option update swpm_settings --format=json \
  "$(wp option get swpm_settings --format=json | jq '. + {"stripe-webhook-signing-secret":"whsec_REPLACE_WITH_STRIPE_SECRET"}')"