Skip to main content

Simple Membership CVE-2026-34886

| EUVDEUVD-2026-36917 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-x67r-jcr7-mf6r
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Network-reachable WordPress plugin endpoint with missing authorization (PR:N, AV:N, AC:L, UI:N); broken access control on state-changing action gives high integrity impact, no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:38 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.

AnalysisAI

Broken access control in the WordPress Simple Membership plugin (versions ≤4.7.1) allows remote unauthenticated attackers to modify protected resources due to missing authorization checks. The flaw, reported by Patchstack and tracked as EUVD-2026-36917, carries a CVSS 3.1 score of 7.5 reflecting high integrity impact with no confidentiality or availability effect. No public exploit identified at time of analysis, but the network-reachable, no-auth profile makes WordPress sites running this plugin a realistic target.

Technical ContextAI

Simple Membership (vendor wp.insider, CPE cpe:2.3:a:wp.insider:simple_membership) is a WordPress plugin that manages member registration, content gating, and subscription levels. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints/actions process state-changing requests without verifying that the caller is authenticated or holds the required capability. In WordPress plugins this class of bug typically manifests as admin-ajax or REST callbacks lacking current_user_can() / nonce checks, allowing anonymous HTTP callers to invoke privileged logic.

RemediationAI

Upgrade the Simple Membership plugin to a version greater than 4.7.1 as soon as the vendor publishes a fix; the input data does not include a confirmed fix version, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-7-1-broken-access-control-vulnerability) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-34886) for the patched release number. Until a patched version is installed, deactivate the Simple Membership plugin if the site can tolerate the loss of membership functionality, or place the affected WordPress site behind a WAF such as Patchstack/Wordfence with a virtual patch for CVE-2026-34886 (trade-off: WAF rules can be bypassed and may block legitimate member workflows). As a narrower compensating control, restrict access to wp-admin/admin-ajax.php and the plugin's REST routes via IP allowlist or HTTP auth where feasible, accepting that this will break public registration and any front-end member actions.

CVE-2022-2317 CRITICAL POC
9.8 Aug 01

The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due

CVE-2026-11855 HIGH POC
8.8 Jul 06

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no

CVE-2022-2273 HIGH POC
8.8 Aug 01

The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editi

CVE-2019-14328 HIGH POC
8.8 Jul 28

The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section. Rated high severi

CVE-2022-0681 MEDIUM POC
6.5 Mar 21

The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which

CVE-2022-1724 MEDIUM POC
6.1 Jun 13

The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting t

CVE-2022-0328 MEDIUM POC
4.7 Feb 28

The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could

CVE-2024-11088 HIGH
7.5 Nov 21

The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and in

CVE-2023-4719 HIGH
7.2 Sep 06

The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter

CVE-2023-50376 HIGH
7.1 Dec 19

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider S

CVE-2026-42663 MEDIUM
6.5 Jun 15

Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of

CVE-2024-4383 MEDIUM
6.4 May 14

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_su

Share

CVE-2026-34886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy