Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification

hello@craftedsignal.io — Sat, 02 May 2026 12:16:16 +0000

The Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site’s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.

Attack Chain

An attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.
The attacker crafts a malicious AJAX request targeting the wp_ajax_pmpro_stripe_create_webhook endpoint.
Alternatively, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_delete_webhook endpoint.
Or, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_rebuild_webhook endpoint.
Due to missing capability checks, the server processes the request without proper authorization.
The Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker’s request.
Legitimate payment processing and subscription management processes fail due to the altered webhook configuration.
The attacker effectively disrupts the site’s ability to collect payments and manage subscriptions.

Impact

Successful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site’s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.

Recommendation

Immediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.
Monitor WordPress web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, or pmpro_stripe_rebuild_webhook using the “Detect Suspicious PMPro Stripe Webhook AJAX Requests” Sigma rule.
Review user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.

Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud

hello@craftedsignal.io — Fri, 24 Apr 2026 15:43:25 +0000

A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. Disclosed on 2025-04-15 and patched the same day in v0.12.10, the vulnerability stems from three compounding flaws: the Stripe webhook endpoint does not reject requests when StripeWebhookSecret is empty (the default), any attacker can compute valid webhook signatures when the HMAC secret is empty, and the Recharge function does not validate that the order’s PaymentMethod matches the callback source. This enables cross-gateway exploitation where orders created via any payment method can be fulfilled through a forged Stripe webhook. This vulnerability allows for financial fraud through unlimited API quota acquisition without payment.

Attack Chain

Attacker registers a user account on the target platform.
Attacker calls POST /api/user/pay to create an Epay top-up order, setting the amount. The order is stored with a pending status.
Attacker queries GET /api/user/topup/self to retrieve the trade_no of the pending order.
Attacker computes an HMAC-SHA256 signature with an empty key over a crafted checkout.session.completed payload. This payload contains the stolen trade_no as the client_reference_id.
Attacker sends a POST request to /api/stripe/webhook with the forged payload and a crafted Stripe-Signature header.
The server verifies the signature, which passes because the StripeWebhookSecret is empty.
The server calls the Recharge() function, which finds the Epay order by trade_no, marks the order as success, and credits the attacker’s account with the full quota.
The attacker repeats steps 2-6 indefinitely to accumulate unlimited credits, leading to financial fraud.

Impact

This vulnerability allows attackers to obtain unlimited API quota without payment, leading to financial fraud. The operator of the vulnerable system faces financial losses due to fraudulent quota consumption against upstream AI providers such as OpenAI, Anthropic, and Google. The fraudulent top-ups can appear as normal transactions in system logs, making detection challenging. Due to the default insecure configuration, virtually all deployments with any payment method enabled are vulnerable, creating a wide exposure.

Recommendation

Set StripeWebhookSecret to a non-empty value to prevent empty-key HMAC forgery, mitigating the primary attack vector (Flaw 1).
Apply a reverse proxy (Nginx, Caddy, etc.) to deny access to /api/stripe/webhook if Stripe is not configured, as a temporary workaround.
Deploy the Sigma rule Detect Forged Stripe Webhook Request to identify potential exploitation attempts by monitoring requests to the webhook endpoint with empty secrets or invalid signatures.
Upgrade to v0.12.10 immediately, as it addresses all three flaws completely.

Stripe — CraftedSignal Threat Feed

Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification

Attack Chain

Impact

Recommendation

Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud

Attack Chain

Impact

Recommendation