Paid Memberships Pro Plugin: Stripe Webhook Vulnerability CVE-2026-4100

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-862
Paid Memberships Pro Plugin: Stripe Webhook Vulnerability CVE-2026-4100

The National Vulnerability Database reports a critical flaw, CVE-2026-4100, in the Paid Memberships Pro plugin for WordPress, impacting all versions up to and including 3.6.5. This vulnerability stems from missing capability checks on several AJAX handlers, specifically wp_ajax_pmpro_stripe_create_webhook, wp_ajax_pmpro_stripe_delete_webhook, and wp_ajax_pmpro_stripe_rebuild_webhook.

This oversight allows authenticated attackers with even Subscriber-level access to manipulate the site’s Stripe webhook configuration. They can delete, create, or rebuild these webhooks, effectively disrupting all payment processing, subscription renewals, cancellation handling, and failed payment management. The National Vulnerability Database assigns this a CVSS score of 7.1 (HIGH), underscoring the severe operational impact on sites relying on this plugin for payment functionality.

For defenders, this is a direct hit to business continuity. An attacker doesn’t need high-level privileges to cripple revenue streams and customer management. This isn’t just a data breach risk; it’s a denial-of-service against financial operations, creating immediate and tangible damage to any organization using the plugin for paid memberships.

What This Means For You

  • If your organization uses the Paid Memberships Pro plugin for WordPress, you must immediately audit your plugin version. This vulnerability allows low-privileged attackers to disable your Stripe payment processing. Patch to a version beyond 3.6.5 as soon as an update is available, and scrutinize logs for any unauthorized webhook modifications.

Related ATT&CK Techniques

T1078.004 Abuse of Cloud Infrastructure: Cloud API Persistence T1531 Account Access Removal Impact

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1531 Impact

CVE-2026-4100 - Paid Memberships Pro Stripe Webhook Unauthorized Modification

Sigma YAML — free preview 
title: CVE-2026-4100 - Paid Memberships Pro Stripe Webhook Unauthorized Modification
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
  This rule detects attempts to create or modify Stripe webhook configurations via the Paid Memberships Pro plugin's AJAX handlers. Attackers with subscriber-level access can exploit this vulnerability (CVE-2026-4100) to disrupt payment processing and subscription synchronization by creating, deleting, or rebuilding webhooks without proper authorization. This detection focuses on the specific AJAX action 'pmpro_stripe_create_webhook' which is part of the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-4100/
tags:
  - attack.impact
  - attack.t1531
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=pmpro_stripe_create_webhook'
      cs-method|contains:
          - 'POST'
      sc-status|startswith:
          - '2'
  selection_user:
      User|contains:
          - 'subscriber'
  condition: selection AND selection_user
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-4100 Auth Bypass Paid Memberships Pro plugin for WordPress versions <= 3.6.5
CVE-2026-4100 Auth Bypass Missing capability checks on AJAX handlers: wp_ajax_pmpro_stripe_create_webhook, wp_ajax_pmpro_stripe_delete_webhook, wp_ajax_pmpro_stripe_rebuild_webhook
CVE-2026-4100 Disruption of Service Authenticated attackers with Subscriber-level access can delete, create, or rebuild Stripe webhooks

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7628 — CrazyrabbitLTC Mcp-Code-Review-Server Command Injection

CVE-2026-7628 — A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-6817 — Cross-Site Scripting (XSS)

CVE-2026-6817 — The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to,...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /5.8 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to

CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 2 IOCs /⚙ 2 Sigma