55 matches found
EUVD-2026-37847
The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitra...
CVE-2026-5167
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handlewebhook function. The...
Improper Authentication
github.com/QuantumNous/new-api is vulnerable to Improper Authentication. The vulnerability is due to insufficient validation of Stripe webhook events, which allows an attacker to forge webhook requests and fraudulently credit quota to an account without making a payment...
CVE-2026-41432
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...
CVE-2026-41432
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...
CVE-2026-41432 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...
CVE-2026-41432
CVE-2026-41432 affects New API versions prior to 0.12.10. The Stripe webhook endpoint is exposed at /api/stripe/webhook and is vulnerable when StripeWebhookSecret is empty, enabling an unauthenticated attacker to forge webhook events and fraudulently credit quota. Root causes listed across source...
CVE-2026-41432 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...
New API 数据伪造问题漏洞
The New API is an interface software developed by QuantumNous. Versions of the New API prior to 0.12.10 had a data manipulation vulnerability. This vulnerability stems from defects in the Stripe webhook handler, which could allow unauthorized attackers to forge webhook events and arbitrarily...
CVE-2026-4100
The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...
CVE-2026-4100
The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...
CVE-2026-4100 Paid Memberships Pro <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption
The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...
CVE-2026-4100
The CVE concerns the Paid Memberships Pro plugin for WordPress, affecting all versions up to 3.6.5. The root cause is missing capability checks on three AJAX handlers: wp_ajax_pmpro_stripe_create_webhook, wp_ajax_pmpro_stripe_delete_webhook, and wp_ajax_pmpro_stripe_rebuild_webhook. This allows a...
CVE-2026-4100 Paid Memberships Pro <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption
The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...
EUVD-2026-26782
The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...
WordPress plugin Paid Memberships Pro 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
GHSA-XFF3-5C9P-2MR4 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
Summary A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws: 1. The Stripe webhook endpoint does n...
Insecure Default Initialization of Resource
Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the StripeWebhook process. An attacker can gain unauthorized quota credits and perform financial fraud by forging webhook requests with a publicly computable signature when the webhook...
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
Summary A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. The vulnerability stems from three compounding flaws: 1. The Stripe webhook endpoint does n...
PT-2026-35034
Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.10 Description A flaw in the Stripe webhook handler allows unauthenticated attackers to forge webhook events and credit arbitrary quota to their accounts without payment. This is caused by three issues: the syste...