WordPress Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption vulnerability

Missing Authorization to Authenticated Subscriber+ Stripe Webhook Deletion and Payment Processing Disruption vulnerability discovered by Jared Reyes in WordPress Plugin Paid Memberships Pro versions = 3.6.5...

CVE-2026-4100

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

PT-2026-36609

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wp ajax pmpro stripe create webhook, wp ajax pmpro stripe delete...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the webhook process. An attacker can exhaust system memory by sending oversized POST payloads before signature validation. This is only exploitable if Stripe webhooks are enabled a...

CVE-2026-40481

monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...

GHSA-V7XQ-3WX6-FQC2 In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation

Summary The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service. Details When Stripe webhooks are enabled,...

PT-2026-33217

Summary The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service. Details When Stripe webhooks are enabled,...

EUVD-2026-19584

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook...

CVE-2026-3177

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook...

CVE-2026-3177 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook...

PT-2026-30800

Name of the Vulnerable Software and Affected Versions The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More versions through 1.8.9.7 Description The Charitable – Donation Plugin for WordPress is affected by a flaw due to missing cryptographic verification of...

CVE-2026-1461

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured,...