CVE-2026-1461Improper Handling of Missing Values in Simple Membership

CWE-230Improper Handling of Missing Values4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 77.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wpinsider-1 Simple Membership
Timeline
PublishedFeb 19

Description

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without pay

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-h972-rpm4-hj8q: The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 42026-02-19
CVEList
Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values2026-02-19

🕵️Threat Intelligence

1
Wiz
CVE-2026-1461 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-1461 — Improper Handling of Missing Values | cvebase