React
CVE-2026-1461
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.
AnalysisAI
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
Technical ContextAI
exists in the Stripe webhook component. The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without pay
Affected ProductsAI
Vendor: WordPress. Product: Simple Membership (WordPress plugin). Versions: up to 4.7.0. Component: Stripe webhook.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-202
react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scrip
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc
Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react
React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names a
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).
A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Same weakness CWE-230 – Improper Handling of Missing Values
View allShare
External POC / Exploit Code
Leaving vuln.today