Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
PR:N reflects the description's explicit 'unauthenticated' claim; A:N applied as XSS does not typically cause availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions.
AnalysisAI
Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of malicious scripts that execute in the context of other users' browsers. The official CVSS vector assigns PR:L (low privileges required), which directly contradicts the CVE description's claim of 'unauthenticated' exploitation - this discrepancy must be resolved with the vendor before accurate risk tiering. With a scope-changed impact (S:C), the primary concern is an attacker inducing a privileged user such as a WordPress administrator to trigger the payload, enabling session hijacking or unauthorized administrative actions. No public exploit code or active exploitation in CISA KEV has been identified at time of analysis.
Technical ContextAI
Simple Membership (CPE: cpe:2.3:a:wp.insider:simple_membership:*:*:*:*:*:*:*:*) is a widely deployed WordPress membership management plugin published by wp.insider. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), meaning user-supplied input is reflected or persisted into HTML output without sufficient encoding or sanitization. The CVSS Scope:Changed metric confirms the vulnerability crosses trust boundaries - a payload submitted in one context (e.g., a membership form field or shortcode parameter) is rendered in another security context, most likely the WordPress admin dashboard or a privileged user session. XSS in membership plugins frequently arises in input fields processed server-side (registration fields, profile inputs, admin-facing member list pages) that lack wp_kses or esc_html output escaping.
RemediationAI
The primary remediation is to update Simple Membership beyond version 4.7.2 - however, no exact patched release version is confirmed in the available source data (patch available per vendor advisory via Patchstack, but the specific fixed version is not independently verified from the provided references). Site operators should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-7-2-cross-site-scripting-xss-vulnerability for the latest patched release and update immediately. As an interim compensating control while a patch is applied or verified, restrict access to any Simple Membership input forms or admin-facing member list views using WordPress capability checks or WAF rules targeting reflected script patterns. A Web Application Firewall rule blocking script injection patterns in membership-related form parameters can reduce exposure without disabling the plugin entirely, though WAF bypasses for XSS remain common. Disabling the Simple Membership plugin entirely eliminates the attack surface but removes all membership gating functionality.
More in Simple Membership
View allThe Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no
The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editi
The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section. Rated high severi
The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which
The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting t
The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could
Broken access control in the WordPress Simple Membership plugin (versions ≤4.7.1) allows remote unauthenticated attacker
The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and in
The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider S
The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_su
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36828
GHSA-hc65-h82q-r825