Skip to main content

Simple Membership CVE-2026-42663

| EUVDEUVD-2026-36828 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-hc65-h82q-r825
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

PR:N reflects the description's explicit 'unauthenticated' claim; A:N applied as XSS does not typically cause availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:59 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions.

AnalysisAI

Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of malicious scripts that execute in the context of other users' browsers. The official CVSS vector assigns PR:L (low privileges required), which directly contradicts the CVE description's claim of 'unauthenticated' exploitation - this discrepancy must be resolved with the vendor before accurate risk tiering. With a scope-changed impact (S:C), the primary concern is an attacker inducing a privileged user such as a WordPress administrator to trigger the payload, enabling session hijacking or unauthorized administrative actions. No public exploit code or active exploitation in CISA KEV has been identified at time of analysis.

Technical ContextAI

Simple Membership (CPE: cpe:2.3:a:wp.insider:simple_membership:*:*:*:*:*:*:*:*) is a widely deployed WordPress membership management plugin published by wp.insider. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), meaning user-supplied input is reflected or persisted into HTML output without sufficient encoding or sanitization. The CVSS Scope:Changed metric confirms the vulnerability crosses trust boundaries - a payload submitted in one context (e.g., a membership form field or shortcode parameter) is rendered in another security context, most likely the WordPress admin dashboard or a privileged user session. XSS in membership plugins frequently arises in input fields processed server-side (registration fields, profile inputs, admin-facing member list pages) that lack wp_kses or esc_html output escaping.

RemediationAI

The primary remediation is to update Simple Membership beyond version 4.7.2 - however, no exact patched release version is confirmed in the available source data (patch available per vendor advisory via Patchstack, but the specific fixed version is not independently verified from the provided references). Site operators should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-7-2-cross-site-scripting-xss-vulnerability for the latest patched release and update immediately. As an interim compensating control while a patch is applied or verified, restrict access to any Simple Membership input forms or admin-facing member list views using WordPress capability checks or WAF rules targeting reflected script patterns. A Web Application Firewall rule blocking script injection patterns in membership-related form parameters can reduce exposure without disabling the plugin entirely, though WAF bypasses for XSS remain common. Disabling the Simple Membership plugin entirely eliminates the attack surface but removes all membership gating functionality.

CVE-2022-2317 CRITICAL POC
9.8 Aug 01

The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due

CVE-2026-11855 HIGH POC
8.8 Jul 06

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no

CVE-2022-2273 HIGH POC
8.8 Aug 01

The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editi

CVE-2019-14328 HIGH POC
8.8 Jul 28

The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section. Rated high severi

CVE-2022-0681 MEDIUM POC
6.5 Mar 21

The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which

CVE-2022-1724 MEDIUM POC
6.1 Jun 13

The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting t

CVE-2022-0328 MEDIUM POC
4.7 Feb 28

The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could

CVE-2026-34886 HIGH
7.5 Jun 15

Broken access control in the WordPress Simple Membership plugin (versions ≤4.7.1) allows remote unauthenticated attacker

CVE-2024-11088 HIGH
7.5 Nov 21

The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and in

CVE-2023-4719 HIGH
7.2 Sep 06

The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter

CVE-2023-50376 HIGH
7.1 Dec 19

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider S

CVE-2024-4383 MEDIUM
6.4 May 14

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_su

Share

CVE-2026-42663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy