๐Ÿ” CVE Alert

CVE-2026-11855

HIGH 8.8

Simple Membership < 4.7.5 - Unauthenticated Stored XSS via Stripe Webhook API Version

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.

Vendor unknown
Product simple membership
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for unknown simple membership

Be the first to know when new high vulnerabilities affecting unknown simple membership are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Simple Membership
0 < 4.7.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/217cb606-a0f2-4427-9262-cfe1cc90474e/

Credits

Duy Tran WPScan