{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/webhook/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4100"}],"_cs_exploited":false,"_cs_products":["Paid Memberships Pro plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","stripe","webhook","vulnerability","plugin"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site\u0026rsquo;s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003ewp_ajax_pmpro_stripe_create_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_delete_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eOr, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_rebuild_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to missing capability checks, the server processes the request without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker\u0026rsquo;s request.\u003c/li\u003e\n\u003cli\u003eLegitimate payment processing and subscription management processes fail due to the altered webhook configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker effectively disrupts the site\u0026rsquo;s ability to collect payments and manage subscriptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site\u0026rsquo;s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003epmpro_stripe_create_webhook\u003c/code\u003e, \u003ccode\u003epmpro_stripe_delete_webhook\u003c/code\u003e, or \u003ccode\u003epmpro_stripe_rebuild_webhook\u003c/code\u003e using the \u0026ldquo;Detect Suspicious PMPro Stripe Webhook AJAX Requests\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-pmpro-stripe-webhook-vuln/","summary":"The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.","title":"Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-pmpro-stripe-webhook-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41395"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["medium"],"_cs_tags":["webhook","replay-attack","plivo"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.28 is susceptible to a webhook replay vulnerability affecting Plivo V3 signature verification. The vulnerability arises from the application\u0026rsquo;s method of canonicalizing query parameter ordering for signature verification while simultaneously employing raw URLs for replay detection. This discrepancy allows attackers to manipulate the order of query parameters within a captured, valid, signed webhook, effectively bypassing the replay cache detection mechanism. This could lead to the unintended execution of duplicate voice-call processing. The vulnerability was reported on April 28, 2026, and poses a risk to systems relying on OpenClaw for processing Plivo webhooks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker captures a valid, signed webhook request from Plivo to OpenClaw.\u003c/li\u003e\n\u003cli\u003eAttacker analyzes the captured webhook request, noting the query parameters and their order.\u003c/li\u003e\n\u003cli\u003eAttacker reorders the query parameters in the captured webhook request, while maintaining the validity of the signature (due to OpenClaw\u0026rsquo;s canonicalization of query ordering for signature verification).\u003c/li\u003e\n\u003cli\u003eAttacker replays the modified webhook request to the OpenClaw server.\u003c/li\u003e\n\u003cli\u003eOpenClaw processes the replayed webhook request because the replay detection mechanism is bypassed due to the reordered query parameters resulting in a different raw URL.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application initiates a duplicate voice-call processing as a result of the replayed webhook.\u003c/li\u003e\n\u003cli\u003eThe victim experiences unintended or duplicate voice calls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unintended or duplicate voice calls, potentially causing disruption of services and financial implications due to unnecessary call charges. While the direct impact is limited to the processing of voice calls, the vulnerability highlights a weakness in webhook security that could be exploited further in other contexts. The severity is rated as HIGH with a CVSS v3.1 score of 7.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41395).\u003c/li\u003e\n\u003cli\u003eImplement server-side logging for all incoming webhook requests, capturing the raw request URL and timestamp. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious Webhook Replay\u003c/code\u003e to identify potential replay attacks based on duplicate URLs within a short timeframe.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional server-side validation of webhook requests, such as verifying the timestamp to ensure it falls within an acceptable window.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-webhook-replay/","summary":"OpenClaw before 2026.3.28 is vulnerable to webhook replay attacks due to improper signature verification, allowing attackers to reorder query parameters and trigger duplicate voice-call processing.","title":"OpenClaw Webhook Replay Vulnerability (CVE-2026-41395)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-webhook-replay/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41405"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","webhook","cve-2026-41405"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 is vulnerable to a resource exhaustion attack due to improper handling of MS Teams webhook requests. The application parses the request body before validating the JWT, which allows unauthenticated attackers to send malicious payloads. By sending specially crafted Teams webhook payloads, attackers can bypass authentication checks and exhaust server resources. This vulnerability, identified as CVE-2026-41405, can lead to denial of service and impacts systems where OpenClaw is used to process MS Teams webhooks. Successful exploitation can severely degrade or halt OpenClaw\u0026rsquo;s functionality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an OpenClaw instance processing MS Teams webhooks.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious MS Teams webhook payload designed to consume excessive resources during parsing.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious webhook payload to the OpenClaw endpoint.\u003c/li\u003e\n\u003cli\u003eOpenClaw receives the webhook request and begins parsing the request body \u003cem\u003ebefore\u003c/em\u003e JWT validation.\u003c/li\u003e\n\u003cli\u003eThe malicious payload triggers excessive resource consumption (CPU, memory) during the parsing stage.\u003c/li\u003e\n\u003cli\u003eThe parsing process exhausts available server resources.\u003c/li\u003e\n\u003cli\u003eOpenClaw becomes unresponsive or crashes due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eLegitimate MS Teams webhook requests are no longer processed, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, rendering OpenClaw unresponsive. This can disrupt any services relying on OpenClaw for MS Teams webhook processing. While the precise number of affected organizations is unknown, any organization using a vulnerable version of OpenClaw is at risk. The impact includes potential loss of data, interrupted workflows, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41405.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the MS Teams webhook endpoint to mitigate resource exhaustion, even after patching.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for unusual traffic patterns and large request sizes to the MS Teams webhook endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Number of Requests to Teams Webhook\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-resource-exhaustion/","summary":"OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.","title":"OpenClaw MS Teams Webhook Resource Exhaustion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Stripe Webhook"],"_cs_severities":["critical"],"_cs_tags":["stripe","webhook","signature-bypass","quota-fraud"],"_cs_type":"advisory","_cs_vendors":["Stripe"],"content_html":"\u003cp\u003eA critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. Disclosed on 2025-04-15 and patched the same day in v0.12.10, the vulnerability stems from three compounding flaws: the Stripe webhook endpoint does not reject requests when \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e is empty (the default), any attacker can compute valid webhook signatures when the HMAC secret is empty, and the \u003ccode\u003eRecharge\u003c/code\u003e function does not validate that the order\u0026rsquo;s \u003ccode\u003ePaymentMethod\u003c/code\u003e matches the callback source. This enables cross-gateway exploitation where orders created via any payment method can be fulfilled through a forged Stripe webhook. This vulnerability allows for financial fraud through unlimited API quota acquisition without payment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers a user account on the target platform.\u003c/li\u003e\n\u003cli\u003eAttacker calls \u003ccode\u003ePOST /api/user/pay\u003c/code\u003e to create an Epay top-up order, setting the \u003ccode\u003eamount\u003c/code\u003e. The order is stored with a \u003ccode\u003epending\u003c/code\u003e status.\u003c/li\u003e\n\u003cli\u003eAttacker queries \u003ccode\u003eGET /api/user/topup/self\u003c/code\u003e to retrieve the \u003ccode\u003etrade_no\u003c/code\u003e of the pending order.\u003c/li\u003e\n\u003cli\u003eAttacker computes an \u003ccode\u003eHMAC-SHA256\u003c/code\u003e signature with an empty key over a crafted \u003ccode\u003echeckout.session.completed\u003c/code\u003e payload. This payload contains the stolen \u003ccode\u003etrade_no\u003c/code\u003e as the \u003ccode\u003eclient_reference_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/stripe/webhook\u003c/code\u003e with the forged payload and a crafted \u003ccode\u003eStripe-Signature\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe server verifies the signature, which passes because the \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e is empty.\u003c/li\u003e\n\u003cli\u003eThe server calls the \u003ccode\u003eRecharge()\u003c/code\u003e function, which finds the Epay order by \u003ccode\u003etrade_no\u003c/code\u003e, marks the order as \u003ccode\u003esuccess\u003c/code\u003e, and credits the attacker\u0026rsquo;s account with the full quota.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-6 indefinitely to accumulate unlimited credits, leading to financial fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows attackers to obtain unlimited API quota without payment, leading to financial fraud. The operator of the vulnerable system faces financial losses due to fraudulent quota consumption against upstream AI providers such as OpenAI, Anthropic, and Google. The fraudulent top-ups can appear as normal transactions in system logs, making detection challenging. Due to the default insecure configuration, virtually all deployments with any payment method enabled are vulnerable, creating a wide exposure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSet \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e to a non-empty value to prevent empty-key HMAC forgery, mitigating the primary attack vector (Flaw 1).\u003c/li\u003e\n\u003cli\u003eApply a reverse proxy (Nginx, Caddy, etc.) to deny access to \u003ccode\u003e/api/stripe/webhook\u003c/code\u003e if Stripe is not configured, as a temporary workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Forged Stripe Webhook Request\u003c/code\u003e to identify potential exploitation attempts by monitoring requests to the webhook endpoint with empty secrets or invalid signatures.\u003c/li\u003e\n\u003cli\u003eUpgrade to v0.12.10 immediately, as it addresses all three flaws completely.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T15:43:25Z","date_published":"2026-04-24T15:43:25Z","id":"/briefs/2026-04-stripe-webhook-bypass/","summary":"A vulnerability in the Stripe webhook handler allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without payment, stemming from an empty StripeWebhookSecret and lack of PaymentMethod validation, enabling cross-gateway exploitation.","title":"Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud","url":"https://feed.craftedsignal.io/briefs/2026-04-stripe-webhook-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-35216"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-35216","budibase","rce","webhook"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBudibase, an open-source low-code platform, is vulnerable to remote code execution (RCE) in versions prior to 3.33.4. This vulnerability, identified as CVE-2026-35216, allows an unauthenticated attacker to execute arbitrary commands on the Budibase server. The attack involves leveraging the public webhook endpoint to trigger an automation containing a Bash step. Due to the lack of authentication, malicious actors can directly interact with the webhook to initiate the execution. The process runs as root within the container, increasing the severity of the impact. Budibase patched this vulnerability in version 3.33.4. Defenders must upgrade to the latest version to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Budibase instance running a version prior to 3.33.4.\u003c/li\u003e\n\u003cli\u003eThe attacker locates a public webhook endpoint exposed by the Budibase instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the webhook endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request triggers a pre-configured automation within Budibase.\u003c/li\u003e\n\u003cli\u003eThe automation contains a Bash step that executes attacker-controlled commands.\u003c/li\u003e\n\u003cli\u003eThe Bash script executes as root within the container.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Budibase server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35216 allows an unauthenticated attacker to achieve remote code execution (RCE) on the affected Budibase server. Since the process executes as root within the container, the attacker gains complete control over the Budibase instance. This can lead to data breaches, service disruption, or further lateral movement within the network. Organizations using vulnerable Budibase versions are at high risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.33.4 or later to patch CVE-2026-35216.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to webhook endpoints associated with Budibase to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect the execution of bash commands in automations triggered by webhooks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T16:16:41Z","date_published":"2026-04-03T16:16:41Z","id":"/briefs/2026-04-budibase-rce/","summary":"Budibase versions before 3.33.4 are susceptible to unauthenticated remote code execution, where a threat actor can trigger a Bash step within an automation via the public webhook endpoint, leading to code execution as root within the container.","title":"Budibase Unauthenticated Remote Code Execution via Webhook","url":"https://feed.craftedsignal.io/briefs/2026-04-budibase-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-34505"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rate-limiting","brute-force","webhook","cve-2026-34505"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.12 are vulnerable to a rate-limiting bypass (CVE-2026-34505). The vulnerability exists because rate limiting is only applied after successful webhook authentication. This design flaw enables attackers to send numerous authentication requests with incorrect secrets without triggering rate limits. The vulnerability was reported on March 31, 2026. Successful exploitation allows attackers to systematically guess webhook secrets and subsequently submit forged…\u003c/p\u003e\n","date_modified":"2026-03-31T12:16:30Z","date_published":"2026-03-31T12:16:30Z","id":"/briefs/2026-03-openclaw-rate-limit-bypass/","summary":"OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets leading to forged webhook submission.","title":"OpenClaw Webhook Rate Limit Bypass Vulnerability (CVE-2026-34505)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-rate-limit-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","webhook","cve-2026-32974"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.12 is susceptible to an authentication bypass vulnerability (CVE-2026-32974) affecting Feishu webhook integrations. This vulnerability arises when the \u003ccode\u003everificationToken\u003c/code\u003e is configured without the \u003ccode\u003eencryptKey\u003c/code\u003e. This configuration flaw enables unauthenticated attackers to forge Feishu events and send them to the webhook endpoint. Successful exploitation allows attackers to trigger arbitrary downstream tool execution within the OpenClaw environment. This is a…\u003c/p\u003e\n","date_modified":"2026-03-29T13:17:01Z","date_published":"2026-03-29T13:17:01Z","id":"/briefs/2026-03-openclaw-auth-bypass/","summary":"OpenClaw before 2026.3.12 is vulnerable to an authentication bypass in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing unauthenticated network attackers to inject forged Feishu events and trigger downstream tool execution.","title":"OpenClaw Feishu Webhook Authentication Bypass (CVE-2026-32974)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Webhook","version":"https://jsonfeed.org/version/1.1"}