Vulnerabilities and security researches forsimple-membership simple-membership

Direction: ascending

Jun 07, 2024

Simple Membership # CVE-2022-0328

CVE, Research URL: CVE-2022-0328
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Feb 28, 2022
Research Description: The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
Affected versions: max 4.0.9.
Status: vulnerable

Simple Membership # CVE-2016-10884

CVE, Research URL: CVE-2016-10884
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Aug 14, 2019
Research Description: The simple-membership plugin before 3.3.3 for WordPress has multiple CSRF issues.
Affected versions: max 3.3.3.
Status: vulnerable

Simple Membership # CVE-2017-18499

CVE, Research URL: CVE-2017-18499
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Aug 12, 2019
Research Description: The simple-membership plugin before 3.5.7 for WordPress has XSS.
Affected versions: max 3.5.7.
Status: vulnerable

Simple Membership # CVE-2022-2317

CVE, Research URL: CVE-2022-2317
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Aug 01, 2022
Research Description: The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter.
Affected versions: max 4.0.4.
Status: vulnerable

Simple Membership # CVE-2019-14328

CVE, Research URL: CVE-2019-14328
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Jul 28, 2019
Research Description: The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section.
Affected versions: max 3.8.5.
Status: vulnerable

Simple Membership # CVE-2022-0681

CVE, Research URL: CVE-2022-0681
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Mar 22, 2022
Research Description: The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack
Affected versions: max 3.2.9.
Status: vulnerable

Simple Membership # CVE-2023-41956

CVE, Research URL: CVE-2023-41956
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: May 17, 2024
Research Description: Improper Authentication vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.3.4.
Affected versions: max 4.3.5.
Status: vulnerable

Simple Membership # CVE-2023-6882

CVE, Research URL: CVE-2023-6882
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Jan 11, 2024
Research Description: The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environment_mode’ parameter in all versions up to, and including, 4.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 4.3.9.
Status: vulnerable

Simple Membership # CVE-2023-50376

CVE, Research URL: CVE-2023-50376
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Dec 19, 2023
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider Simple Membership allows Reflected XSS.This issue affects Simple Membership: from n/a through 4.3.8.
Affected versions: max 4.3.9.
Status: vulnerable

Simple Membership # CVE-2022-1724

CVE, Research URL: CVE-2022-1724
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Jun 13, 2022
Research Description: The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting
Affected versions: max 4.1.1.
Status: vulnerable

Simple Membership # CVE-2022-2273

CVE, Research URL: CVE-2022-2273
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Aug 01, 2022
Research Description: The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request.
Affected versions: max 4.1.3.
Status: vulnerable

Simple Membership # CVE-2022-4469

CVE, Research URL: CVE-2022-4469
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Jan 16, 2023
Research Description: The Simple Membership WordPress plugin before 4.2.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.
Affected versions: max 3.2.9.
Status: vulnerable

Simple Membership # CVE-2023-4719

CVE, Research URL: CVE-2023-4719
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Sep 06, 2023
Research Description: The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter in versions up to, and including, 4.3.5 due to insufficient input sanitization and output escaping. Using this vulnerability, unauthenticated attackers could inject arbitrary web scripts into pages that are being executed if they can successfully trick a user into taking an action, such as clicking a malicious link.
Affected versions: max 4.3.6.
Status: vulnerable

Simple Membership # CVE-2023-41957

CVE, Research URL: CVE-2023-41957
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: May 17, 2024
Research Description: Improper Privilege Management vulnerability in smp7, wp.Insider Simple Membership allows Privilege Escalation.This issue affects Simple Membership: from n/a through 4.3.4.
Affected versions: max 4.3.5.
Status: vulnerable

Simple Membership # CVE-2024-22308

CVE, Research URL: CVE-2024-22308
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Jan 24, 2024
Research Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.4.1.
Affected versions: max 4.4.2.
Status: vulnerable

Simple Membership # CVE-2024-1985

CVE, Research URL: CVE-2024-1985
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Mar 13, 2024
Research Description: The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution.
Affected versions: max 4.4.3.
Status: vulnerable

Simple Membership # CVE-2024-3730

CVE, Research URL: CVE-2024-3730
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Apr 25, 2024
Research Description: The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 4.4.4.
Status: vulnerable

Simple Membership # CVE-2024-4383

CVE, Research URL: CVE-2024-4383
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: May 14, 2024
Research Description: The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 4.4.6.
Status: vulnerable

Oct 24, 2024

Simple Membership # CVE-2024-49682

CVE, Research URL: CVE-2024-49682
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Oct 24, 2024
Research Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in smp7, wp.Insider Simple Membership allows Phishing.This issue affects Simple Membership: from n/a through 4.5.3.
Affected versions: max 4.5.4.
Status: vulnerable

Nov 23, 2024

Simple Membership # CVE-2024-11088

CVE, Research URL: CVE-2024-11088
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Nov 21, 2024
Research Description: The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
Affected versions: max 4.5.6.
Status: vulnerable

Jun 14, 2025

Simple Membership # CVE-2025-49333

CVE, Research URL: CVE-2025-49333
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Jun 06, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wp.insider Simple Membership allows Stored XSS. This issue affects Simple Membership: from n/a through 4.6.3.
Affected versions: max 4.6.4.
Status: vulnerable

Feb 27, 2026

Simple Membership # CVE-2026-25308

CVE, Research URL: CVE-2026-25308
Home page URL: Security reports for Simple Membership
Application: Simple Membership
Date: Feb 19, 2026
Research Description: Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Membership: from n/a through <= 4.6.9.
Affected versions: max 4.6.9.
Status: vulnerable