Vulnerabilities ›

CVE-2026-4100

High

CWE-862 — Weakness Type

                    Published: May 2, 2026                      ·  Modified: May 9, 2026                      ·  Source: NVD                

CVSS v3

7.1

🔗 NVD Official

📄 Description (English)

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site's Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.

🤖 AI Executive Summary

The Paid Memberships Pro WordPress plugin versions up to 3.6.5 contain missing capability checks in Stripe webhook AJAX handlers, allowing authenticated subscribers to modify webhook configurations. This vulnerability enables attackers to disrupt payment processing, subscription management, and financial transaction handling for affected organizations.

📄 Description (Arabic)

تحتوي إضافة Paid Memberships Pro على ثغرة في معالجات AJAX الخاصة بـ Stripe تفتقد فحوصات القدرات، مما يسمح للمستخدمين المصرحين بحذف أو إنشاء أو إعادة بناء webhooks. هذا يمكن أن يعطل معالجة الدفع بالكامل وإدارة الاشتراكات والتجديدات والإلغاءات.

🤖 ملخص تنفيذي (AI)

ثغرة في إضافة Paid Memberships Pro لـ WordPress تصل إلى الإصدار 3.6.5 تفتقد فحوصات الصلاحيات في معالجات AJAX الخاصة بـ Stripe. يمكن للمستخدمين المصرحين بمستوى المشترك تعديل إعدادات webhooks وتعطيل معالجة الدفع والاشتراكات.

🤖 AI Intelligence Analysis Analyzed: May 9, 2026 11:19

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking telecom healthcare government

🎯 MITRE ATT&CK Techniques

T1190 T1548 T1078

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update Paid Memberships Pro plugin to version 3.6.6 or later immediately. Implement capability checks to restrict webhook management to administrator-level users only. Review and audit all Stripe webhook configurations and recent modifications. Monitor Stripe webhook logs for unauthorized changes. Implement additional access controls and role-based permissions for payment-related functions.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Paid Memberships Pro إلى الإصدار 3.6.6 أو أحدث فوراً. طبق فحوصات الصلاحيات لتقييد إدارة webhooks للمستخدمين من مستوى المسؤول فقط. راجع وتدقق جميع إعدادات Stripe webhook والتعديلات الأخيرة. راقب سجلات Stripe webhook للتعديلات غير المصرح بها. طبق ضوابط وصول إضافية وأذونات قائمة على الأدوار للوظائف المتعلقة بالدفع.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2 5.2.1

🔵 SAMA CSF

AC-2 AC-3 AC-6

🟡 ISO 27001:2022

A.9.1.1 A.9.2.1 A.9.4.3

🔗 References & Sources 2

🔗

https://github.com/strangerstudios/paid-memberships-pro/pull/3615

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/5b333a3d-e416-42aa-9722-5406d...

security@wordfence.com

📊 CVSS Score

7.1

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityL — Low / Local

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.1

CWECWE-862

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-05-02

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-862

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-4100

💬 Comments

Join CISO Consulting

Introduce Yourself

Sign In Required