Missing auth checks let Subscribers tamper with Stripe webhooks in PMPro
TL;DR - Paid Memberships Pro <= 3.6.5: three Stripe webhook management AJAX handlers have no capability checks. Any authenticated user - Subscriber or above - can delete, create, or rebuild your site's Stripe webhook configuration, breaking payment processing.
What happened
Paid Memberships Pro is a WordPress membership and subscriptions plugin that handles paid plans via Stripe. CVE-2026-4100 identifies missing authorization checks on three authenticated AJAX handlers:
wp_ajax_pmpro_stripe_create_webhookwp_ajax_pmpro_stripe_delete_webhookwp_ajax_pmpro_stripe_rebuild_webhook
All three are reachable through admin-ajax.php with nothing more than a low-privilege WordPress account. A Subscriber can call them directly. No admin session required.
The blast radius is operational. Stripe webhooks are how your site hears about renewals, cancellations, failed charges, and refunds. Tamper with that configuration and payment state goes silent - subscriptions stay active after cancellation, failed payment retries never fire, and your Stripe dashboard diverges from your membership database.
| Item | Detail |
|---|---|
| Affected component | WordPress plugin Paid Memberships Pro |
| Affected versions | <= 3.6.5 |
| Severity | CVSS 3.1 7.1 (High) |
This is not an exotic bug class. It is a standard WordPress pattern gone wrong: admin-grade actions exposed to all authenticated users because the capability check was skipped. Any site with open registration gives every free member a working exploit.
Who is impacted
- WordPress sites running
Paid Memberships Proat versions<= 3.6.5. - Sites with open registration or free membership tiers - anywhere an untrusted user can obtain a Subscriber account.
- Any deployment relying on Stripe webhooks for subscription renewals, cancellation handling, failed payment retries, or payment state synchronisation.
What to do now
- Update
Paid Memberships Proto the latest patched release (the CVE record lists affected versions as<= 3.6.5). - Audit your WordPress user roster. Remove stale Subscriber accounts, test users, and any role grants that should not exist.
- Check your Stripe dashboard directly and confirm that webhook endpoints and signing secrets match what you expect.
- Review
admin-ajax.phpaccess logs and WAF telemetry for requests invoking:pmpro_stripe_create_webhookpmpro_stripe_delete_webhookpmpro_stripe_rebuild_webhook
- If you find evidence of tampering, treat it as a payments integrity incident. Scope the impact, restore the correct webhook configuration, and verify that Stripe event delivery resumed cleanly.
Additional Information
- Fix PR (adds authorization and nonce checks to the Stripe webhook AJAX flows): https://github.com/strangerstudios/paid-memberships-pro/pull/3615
- Wordfence reference link from the CVE record: https://www.wordfence.com/threat-intel/vulnerabilities/id/5b333a3d-e416-42aa-9722-5406df0a64b3?source=cve
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.