Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-reachable WordPress plugin endpoint with missing authorization (PR:N, AV:N, AC:L, UI:N); broken access control on state-changing action gives high integrity impact, no confidentiality or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.
AnalysisAI
Broken access control in the WordPress Simple Membership plugin (versions ≤4.7.1) allows remote unauthenticated attackers to modify protected resources due to missing authorization checks. The flaw, reported by Patchstack and tracked as EUVD-2026-36917, carries a CVSS 3.1 score of 7.5 reflecting high integrity impact with no confidentiality or availability effect. No public exploit identified at time of analysis, but the network-reachable, no-auth profile makes WordPress sites running this plugin a realistic target.
Technical ContextAI
Simple Membership (vendor wp.insider, CPE cpe:2.3:a:wp.insider:simple_membership) is a WordPress plugin that manages member registration, content gating, and subscription levels. The root cause is CWE-862 (Missing Authorization): one or more plugin endpoints/actions process state-changing requests without verifying that the caller is authenticated or holds the required capability. In WordPress plugins this class of bug typically manifests as admin-ajax or REST callbacks lacking current_user_can() / nonce checks, allowing anonymous HTTP callers to invoke privileged logic.
RemediationAI
Upgrade the Simple Membership plugin to a version greater than 4.7.1 as soon as the vendor publishes a fix; the input data does not include a confirmed fix version, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/simple-membership/vulnerability/wordpress-simple-membership-plugin-4-7-1-broken-access-control-vulnerability) and the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-34886) for the patched release number. Until a patched version is installed, deactivate the Simple Membership plugin if the site can tolerate the loss of membership functionality, or place the affected WordPress site behind a WAF such as Patchstack/Wordfence with a virtual patch for CVE-2026-34886 (trade-off: WAF rules can be bypassed and may block legitimate member workflows). As a narrower compensating control, restrict access to wp-admin/admin-ajax.php and the plugin's REST routes via IP allowlist or HTTP auth where feasible, accepting that this will break public registration and any front-end member actions.
More in Simple Membership
View allThe Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no
The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editi
The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section. Rated high severi
The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which
The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting t
The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could
The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and in
The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider S
Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of
The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_su
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36917
GHSA-x67r-jcr7-mf6r