Skip to main content

User Registration Stripe EUVDEUVD-2026-37595

| CVE-2026-40726 HIGH
Missing Authorization (CWE-862)
2026-06-17 Patchstack
8.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Remote unauthenticated HTTP endpoint with no UI; missing authorization yields high confidentiality disclosure and limited integrity write, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:18 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.14 versions.

AnalysisAI

Broken access control in the User Registration Stripe WordPress plugin (versions 1.3.14 and earlier) allows remote unauthenticated attackers to access functionality that should require authorization, leading to high confidentiality exposure and limited integrity tampering. The flaw is reported by Patchstack and tagged as an authentication bypass, but no public exploit code has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running plugin
Delivery
Enumerate plugin's nopriv endpoint
Exploit
Send unauthenticated HTTP request
Execution
Bypass missing capability check
Impact
Read sensitive data or alter state

Vulnerability AssessmentAI

Exploitation The target site must have the User Registration Stripe plugin installed and activated at version 1.3.14 or earlier, exposing the plugin's HTTP endpoints (typically /wp-admin/admin-ajax.php with the plugin's action parameter, or its REST route under /wp-json/). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N rates the issue 8.2 (High): network-reachable, low complexity, no privileges, no user interaction, with high confidentiality and low integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for WordPress sites running User Registration Stripe <= 1.3.14, then sends an unauthenticated HTTP request directly to the plugin's vulnerable AJAX or REST endpoint to invoke a function that should require a logged-in user with specific capabilities. Because no authorization check is performed, the attacker retrieves sensitive registration/payment-related data (matching C:H) and modifies limited state (matching I:L). …
Remediation Upgrade the User Registration Stripe plugin to a version newer than 1.3.14 once ThemeGrill publishes a fixed release; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/user-registration-stripe/vulnerability/wordpress-user-registration-stripe-plugin-1-3-14-broken-access-control-vulnerability for the exact patched version, as the input data does not specify it (treat this as 'Patch available per vendor advisory' until the fixed version is confirmed). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for User Registration Stripe plugin version 1.3.14 and earlier; immediately deactivate the affected plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy