Skip to main content

Simple Membership

17 CVEs product

Monthly

CVE-2026-11855 HIGH POC PATCH This Week

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.

WordPress Code Injection Simple Membership
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-12093 MEDIUM This Month

Authorization bypass in the Simple Membership WordPress plugin (≤4.7.5) enables unauthenticated remote attackers to forcibly deactivate any member account by submitting a forged Stripe charge.refunded webhook payload carrying a known victim subscription ID. The plugin's webhook handler skips HMAC signature verification when the stripe-webhook-signing-secret option is absent - the default installation state - accepting the forged event as legitimate and setting the target account_state to 'inactive', firing cancellation hooks, recording a transaction status change, and dispatching a cancellation notification email. No public exploit has been identified at time of analysis, and no KEV listing exists, but the zero-prerequisite network attack path against default-configured sites elevates practical risk above the 5.3 CVSS score suggests.

Authentication Bypass WordPress Simple Membership
NVD VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-42663 MEDIUM This Month

Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of malicious scripts that execute in the context of other users' browsers. The official CVSS vector assigns PR:L (low privileges required), which directly contradicts the CVE description's claim of 'unauthenticated' exploitation - this discrepancy must be resolved with the vendor before accurate risk tiering. With a scope-changed impact (S:C), the primary concern is an attacker inducing a privileged user such as a WordPress administrator to trigger the payload, enabling session hijacking or unauthorized administrative actions. No public exploit code or active exploitation in CISA KEV has been identified at time of analysis.

XSS Simple Membership
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-34886 HIGH This Week

Broken access control in the WordPress Simple Membership plugin (versions ≤4.7.1) allows remote unauthenticated attackers to modify protected resources due to missing authorization checks. The flaw, reported by Patchstack and tracked as EUVD-2026-36917, carries a CVSS 3.1 score of 7.5 reflecting high integrity impact with no confidentiality or availability effect. No public exploit identified at time of analysis, but the network-reachable, no-auth profile makes WordPress sites running this plugin a realistic target.

Authentication Bypass Simple Membership
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-11088 HIGH PATCH This Week

The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.5 via the WordPress core search feature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

WordPress Information Disclosure Simple Membership
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-4383 MEDIUM PATCH This Month

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.5. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Simple Membership
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-3730 MEDIUM This Month

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Simple Membership
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-1985 MEDIUM PATCH This Month

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 4.4.2 due to insufficient input. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Simple Membership
NVD VulDB
CVSS 3.1
4.7
EPSS
3.3%
CVE-2024-22308 LOW Monitor

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in smp7, wp.Insider Simple Membership.4.1. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Open Redirect Simple Membership
NVD
CVSS 3.1
3.4
EPSS
0.1%
CVE-2023-50376 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider Simple Membership allows Reflected XSS.3.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Simple Membership
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2023-4719 HIGH PATCH This Week

The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter in versions up to, and including, 4.3.5 due to insufficient input sanitization. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Simple Membership
NVD VulDB
CVSS 3.1
7.2
EPSS
1.4%
CVE-2022-2317 CRITICAL POC Act Now

The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Privilege Escalation Simple Membership
NVD WPScan
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-2273 HIGH POC This Week

The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editing a profile, allowing members to escalate to a higher membership level by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Privilege Escalation Simple Membership
NVD WPScan
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-1724 MEDIUM POC This Month

The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simple Membership
NVD WPScan
CVSS 3.1
6.1
EPSS
1.7%
CVE-2022-0681 MEDIUM POC This Month

The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Simple Membership
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-0328 MEDIUM POC This Month

The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Simple Membership
NVD WPScan
CVSS 3.1
4.7
EPSS
0.5%
CVE-2019-14328 HIGH POC This Week

The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Simple Membership
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
3.1%
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.

WordPress Code Injection Simple Membership
NVD WPScan VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Simple Membership WordPress plugin (≤4.7.5) enables unauthenticated remote attackers to forcibly deactivate any member account by submitting a forged Stripe charge.refunded webhook payload carrying a known victim subscription ID. The plugin's webhook handler skips HMAC signature verification when the stripe-webhook-signing-secret option is absent - the default installation state - accepting the forged event as legitimate and setting the target account_state to 'inactive', firing cancellation hooks, recording a transaction status change, and dispatching a cancellation notification email. No public exploit has been identified at time of analysis, and no KEV listing exists, but the zero-prerequisite network attack path against default-configured sites elevates practical risk above the 5.3 CVSS score suggests.

Authentication Bypass WordPress Simple Membership
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of malicious scripts that execute in the context of other users' browsers. The official CVSS vector assigns PR:L (low privileges required), which directly contradicts the CVE description's claim of 'unauthenticated' exploitation - this discrepancy must be resolved with the vendor before accurate risk tiering. With a scope-changed impact (S:C), the primary concern is an attacker inducing a privileged user such as a WordPress administrator to trigger the payload, enabling session hijacking or unauthorized administrative actions. No public exploit code or active exploitation in CISA KEV has been identified at time of analysis.

XSS Simple Membership
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the WordPress Simple Membership plugin (versions ≤4.7.1) allows remote unauthenticated attackers to modify protected resources due to missing authorization checks. The flaw, reported by Patchstack and tracked as EUVD-2026-36917, carries a CVSS 3.1 score of 7.5 reflecting high integrity impact with no confidentiality or availability effect. No public exploit identified at time of analysis, but the network-reachable, no-auth profile makes WordPress sites running this plugin a realistic target.

Authentication Bypass Simple Membership
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.5 via the WordPress core search feature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

WordPress Information Disclosure Simple Membership
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.5. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Simple Membership
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Simple Membership
NVD
EPSS 3% CVSS 4.7
MEDIUM PATCH This Month

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 4.4.2 due to insufficient input. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Simple Membership
NVD VulDB
EPSS 0% CVSS 3.4
LOW Monitor

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in smp7, wp.Insider Simple Membership.4.1. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Open Redirect Simple Membership
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider Simple Membership allows Reflected XSS.3.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Simple Membership
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter in versions up to, and including, 4.3.5 due to insufficient input sanitization. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Simple Membership
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Privilege Escalation Simple Membership
NVD WPScan
EPSS 1% CVSS 8.8
HIGH POC This Week

The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editing a profile, allowing members to escalate to a higher membership level by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Privilege Escalation Simple Membership
NVD WPScan
EPSS 2% CVSS 6.1
MEDIUM POC This Month

The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simple Membership
NVD WPScan
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Simple Membership
NVD WPScan
EPSS 0% CVSS 4.7
MEDIUM POC This Month

The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Simple Membership
NVD WPScan
EPSS 3% CVSS 8.8
HIGH POC This Week

The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Simple Membership
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy