CVE-2026-11855
Simple Membership < 4.7.5 - Unauthenticated Stored XSS via Stripe Webhook API Version
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.
| Vendor | unknown |
| Product | simple membership |
| Published | Jul 6, 2026 |
| Last Updated | Jul 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown simple membership
Be the first to know when new high vulnerabilities affecting unknown simple membership are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Simple Membership
0 < 4.7.5
References
Credits
Duy Tran WPScan