cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forsimple-membership simple-membership

Direction: descending
Jun 19, 2026

Simple Membership # CVE-2026-12093

CVE, Research URL

CVE-2026-12093

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Jun 18, 2026
Research Description
The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitrary member accounts by forging a charge.refunded webhook event containing a victim's subscription ID, setting the target member's account_state to 'inactive' and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails. This vulnerability is exploitable only on installations where no Stripe webhook signing secret has been configured, which is the default out-of-the-box state; sites that have configured the stripe-webhook-signing-secret option are routed to the properly verified HMAC path and are not affected.
Affected versions
max 4.7.6.
Status
vulnerable
Jun 16, 2026

Simple Membership # 43f01b1c26f2650323bbc694295962219fbb7c4c

CVE, Research URL

43f01b1c26f2650323bbc694295962219fbb7c4c

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Jul 14, 2016
Research Description
Simple Membership [simple-membership] < 3.2.9 Simple Membership < 3.2.9 - Reflected Cross-Site Scripting The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in versions before 3.2.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 3.2.9.
Status
vulnerable

Simple Membership # 4e3ff293cb6f8f8ba962ca082fe70e7cf7610c56

CVE, Research URL

4e3ff293cb6f8f8ba962ca082fe70e7cf7610c56

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Apr 05, 2021
Research Description
Simple Membership [simple-membership] < 4.0.4 WordPress Simple Membership plugin <= 4.0.3 - Authenticated SQL Injection (SQLi) vulnerability Authenticated SQL Injection (SQLi) vulnerability discovered by Martin Vierula in WordPress Simple Membership plugin (versions <= 4.0.3).
Affected versions
max 4.0.4.
Status
vulnerable

Simple Membership # 2e5c36721279e4c66e72eea200b2514e8820ef52

CVE, Research URL

2e5c36721279e4c66e72eea200b2514e8820ef52

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Jul 14, 2016
Research Description
Simple Membership [simple-membership] < 3.2.9 WordPress Simple Membership Plugin <= 3.2.8 - Cross Site Scripting (XSS) Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Update the plugin.
Affected versions
max 3.2.9.
Status
vulnerable

Simple Membership # 0155eb2d-3407-40b5-bb6a-549236191f0a

CVE, Research URL

0155eb2d-3407-40b5-bb6a-549236191f0a

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
-
Research Description
Simple Membership [simple-membership] < 3.2.9 Simple Membership &lt;= 3.2.8 - Cross-Site Scripting (XSS) The Simple Membership WordPress plugin was affected by a Cross-Site Scripting (XSS) security vulnerability.
Affected versions
max 3.2.9.
Status
vulnerable

Simple Membership # 17527cfb2d42b5bacb8d579c3d6814f8a6188bfb

CVE, Research URL

17527cfb2d42b5bacb8d579c3d6814f8a6188bfb

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Apr 05, 2021
Research Description
Simple Membership [simple-membership] < 4.0.4 Simple Membership <= 4.0.3 - Authenticated (Admin+) SQL Injections The Simple Membership plugin for WordPress is vulnerable to time-based SQL Injection via the 's' and 'status' parameters in versions up to, and including, 4.0.3 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated Admin+ attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 4.0.4.
Status
vulnerable
Apr 15, 2026

Simple Membership # CVE-2026-1461

CVE, Research URL

CVE-2026-1461

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Feb 19, 2026
Research Description
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.
Affected versions
max 4.7.1.
Status
vulnerable

Simple Membership # CVE-2026-34886

CVE, Research URL

CVE-2026-34886

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
-
Research Description
Simple Membership [simple-membership] < 4.7.2 CVE-2026-34886
Affected versions
max 4.7.2.
Status
vulnerable
Feb 27, 2026

Simple Membership # CVE-2026-25308

CVE, Research URL

CVE-2026-25308

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Feb 19, 2026
Research Description
Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Membership: from n/a through <= 4.6.9.
Affected versions
max 4.7.0.
Status
vulnerable
Jun 14, 2025

Simple Membership # CVE-2025-49333

CVE, Research URL

CVE-2025-49333

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Jun 06, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wp.insider Simple Membership simple-membership allows Stored XSS.This issue affects Simple Membership: from n/a through <= 4.6.3.
Affected versions
max 4.6.4.
Status
vulnerable
Nov 23, 2024

Simple Membership # CVE-2024-11088

CVE, Research URL

CVE-2024-11088

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Nov 21, 2024
Research Description
The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
Affected versions
max 4.5.6.
Status
vulnerable
Oct 24, 2024

Simple Membership # CVE-2024-49682

CVE, Research URL

CVE-2024-49682

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Oct 24, 2024
Research Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in wp.insider Simple Membership simple-membership allows Phishing.This issue affects Simple Membership: from n/a through <= 4.5.3.
Affected versions
max 4.5.4.
Status
vulnerable
Jun 07, 2024

Simple Membership # CVE-2022-0328

CVE, Research URL

CVE-2022-0328

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Feb 28, 2022
Research Description
The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
Affected versions
max 4.0.9.
Status
vulnerable

Simple Membership # CVE-2016-10884

CVE, Research URL

CVE-2016-10884

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Aug 14, 2019
Research Description
The simple-membership plugin before 3.3.3 for WordPress has multiple CSRF issues.
Affected versions
max 3.3.3.
Status
vulnerable

Simple Membership # CVE-2017-18499

CVE, Research URL

CVE-2017-18499

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Aug 12, 2019
Research Description
The simple-membership plugin before 3.5.7 for WordPress has XSS.
Affected versions
max 3.5.7.
Status
vulnerable

Simple Membership # CVE-2022-2317

CVE, Research URL

CVE-2022-2317

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Aug 01, 2022
Research Description
The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter.
Affected versions
max 4.1.3.
Status
vulnerable

Simple Membership # CVE-2019-14328

CVE, Research URL

CVE-2019-14328

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Jul 28, 2019
Research Description
The Simple Membership plugin before 3.8.5 for WordPress has CSRF affecting the Bulk Operation section.
Affected versions
max 3.8.5.
Status
vulnerable

Simple Membership # CVE-2022-0681

CVE, Research URL

CVE-2022-0681

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Mar 22, 2022
Research Description
The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack
Affected versions
max 4.1.0.
Status
vulnerable

Simple Membership # CVE-2023-41956

CVE, Research URL

CVE-2023-41956

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
May 17, 2024
Research Description
Improper Authentication vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.3.4.
Affected versions
max 4.3.5.
Status
vulnerable

Simple Membership # CVE-2023-6882

CVE, Research URL

CVE-2023-6882

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Jan 11, 2024
Research Description
The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environment_mode’ parameter in all versions up to, and including, 4.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 4.3.9.
Status
vulnerable

Simple Membership # CVE-2023-50376

CVE, Research URL

CVE-2023-50376

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Dec 19, 2023
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider Simple Membership allows Reflected XSS.This issue affects Simple Membership: from n/a through 4.3.8.
Affected versions
max 4.3.9.
Status
vulnerable

Simple Membership # CVE-2022-1724

CVE, Research URL

CVE-2022-1724

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Jun 13, 2022
Research Description
The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting
Affected versions
max 4.1.1.
Status
vulnerable

Simple Membership # CVE-2022-2273

CVE, Research URL

CVE-2022-2273

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Aug 01, 2022
Research Description
The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request.
Affected versions
max 4.1.3.
Status
vulnerable

Simple Membership # CVE-2022-4469

CVE, Research URL

CVE-2022-4469

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Jan 16, 2023
Research Description
The Simple Membership WordPress plugin before 4.2.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.
Affected versions
max 4.2.2.
Status
vulnerable

Simple Membership # CVE-2023-4719

CVE, Research URL

CVE-2023-4719

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Sep 06, 2023
Research Description
The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter in versions up to, and including, 4.3.5 due to insufficient input sanitization and output escaping. Using this vulnerability, unauthenticated attackers could inject arbitrary web scripts into pages that are being executed if they can successfully trick a user into taking an action, such as clicking a malicious link.
Affected versions
max 4.3.6.
Status
vulnerable

Simple Membership # CVE-2023-41957

CVE, Research URL

CVE-2023-41957

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
May 17, 2024
Research Description
Improper Privilege Management vulnerability in smp7, wp.Insider Simple Membership allows Privilege Escalation.This issue affects Simple Membership: from n/a through 4.3.4.
Affected versions
max 4.3.5.
Status
vulnerable

Simple Membership # CVE-2024-22308

CVE, Research URL

CVE-2024-22308

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Jan 24, 2024
Research Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.4.1.
Affected versions
max 4.4.2.
Status
vulnerable

Simple Membership # CVE-2024-1985

CVE, Research URL

CVE-2024-1985

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Mar 13, 2024
Research Description
The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution.
Affected versions
max 4.4.3.
Status
vulnerable

Simple Membership # CVE-2024-3730

CVE, Research URL

CVE-2024-3730

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
Apr 25, 2024
Research Description
The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.4.4.
Status
vulnerable

Simple Membership # CVE-2024-4383

CVE, Research URL

CVE-2024-4383

Home page URL

Security reports for Simple Membership

Application

Simple Membership

Date
May 14, 2024
Research Description
The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.4.6.
Status
vulnerable