https://feed.craftedsignal.io/tags/webhook/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 12:16:16 +0000https://feed.craftedsignal.io/briefs/2026-05-pmpro-stripe-webhook-vuln/Sat, 02 May 2026 12:16:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-pmpro-stripe-webhook-vuln/The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.The Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site’s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.

Attack Chain

1. An attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.
2. The attacker crafts a malicious AJAX request targeting the wp_ajax_pmpro_stripe_create_webhook endpoint.
3. Alternatively, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_delete_webhook endpoint.
4. Or, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_rebuild_webhook endpoint.
5. Due to missing capability checks, the server processes the request without proper authorization.
6. The Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker’s request.
7. Legitimate payment processing and subscription management processes fail due to the altered webhook configuration.
8. The attacker effectively disrupts the site’s ability to collect payments and manage subscriptions.

Impact

Successful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site’s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.

Recommendation

• Immediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.
• Monitor WordPress web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, or pmpro_stripe_rebuild_webhook using the “Detect Suspicious PMPro Stripe Webhook AJAX Requests” Sigma rule.
• Review user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.

]]>highadvisorywordpressstripewebhookvulnerabilitypluginhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-webhook-replay/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-webhook-replay/OpenClaw before 2026.3.28 is vulnerable to webhook replay attacks due to improper signature verification, allowing attackers to reorder query parameters and trigger duplicate voice-call processing.OpenClaw before version 2026.3.28 is susceptible to a webhook replay vulnerability affecting Plivo V3 signature verification. The vulnerability arises from the application’s method of canonicalizing query parameter ordering for signature verification while simultaneously employing raw URLs for replay detection. This discrepancy allows attackers to manipulate the order of query parameters within a captured, valid, signed webhook, effectively bypassing the replay cache detection mechanism. This could lead to the unintended execution of duplicate voice-call processing. The vulnerability was reported on April 28, 2026, and poses a risk to systems relying on OpenClaw for processing Plivo webhooks.

Attack Chain

1. Attacker captures a valid, signed webhook request from Plivo to OpenClaw.
2. Attacker analyzes the captured webhook request, noting the query parameters and their order.
3. Attacker reorders the query parameters in the captured webhook request, while maintaining the validity of the signature (due to OpenClaw’s canonicalization of query ordering for signature verification).
4. Attacker replays the modified webhook request to the OpenClaw server.
5. OpenClaw processes the replayed webhook request because the replay detection mechanism is bypassed due to the reordered query parameters resulting in a different raw URL.
6. The OpenClaw application initiates a duplicate voice-call processing as a result of the replayed webhook.
7. The victim experiences unintended or duplicate voice calls.

Impact

Successful exploitation of this vulnerability can lead to unintended or duplicate voice calls, potentially causing disruption of services and financial implications due to unnecessary call charges. While the direct impact is limited to the processing of voice calls, the vulnerability highlights a weakness in webhook security that could be exploited further in other contexts. The severity is rated as HIGH with a CVSS v3.1 score of 7.5.

Recommendation

• Upgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41395).
• Implement server-side logging for all incoming webhook requests, capturing the raw request URL and timestamp. Deploy the Sigma rule Detect Suspicious Webhook Replay to identify potential replay attacks based on duplicate URLs within a short timeframe.
• Consider implementing additional server-side validation of webhook requests, such as verifying the timestamp to ensure it falls within an acceptable window.

]]>mediumadvisorywebhookreplay-attackplivohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.OpenClaw before version 2026.3.31 is vulnerable to a resource exhaustion attack due to improper handling of MS Teams webhook requests. The application parses the request body before validating the JWT, which allows unauthenticated attackers to send malicious payloads. By sending specially crafted Teams webhook payloads, attackers can bypass authentication checks and exhaust server resources. This vulnerability, identified as CVE-2026-41405, can lead to denial of service and impacts systems where OpenClaw is used to process MS Teams webhooks. Successful exploitation can severely degrade or halt OpenClaw’s functionality.

Attack Chain

1. An unauthenticated attacker identifies an OpenClaw instance processing MS Teams webhooks.
2. The attacker crafts a malicious MS Teams webhook payload designed to consume excessive resources during parsing.
3. The attacker sends the malicious webhook payload to the OpenClaw endpoint.
4. OpenClaw receives the webhook request and begins parsing the request body before JWT validation.
5. The malicious payload triggers excessive resource consumption (CPU, memory) during the parsing stage.
6. The parsing process exhausts available server resources.
7. OpenClaw becomes unresponsive or crashes due to resource exhaustion.
8. Legitimate MS Teams webhook requests are no longer processed, leading to a denial of service.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition, rendering OpenClaw unresponsive. This can disrupt any services relying on OpenClaw for MS Teams webhook processing. While the precise number of affected organizations is unknown, any organization using a vulnerable version of OpenClaw is at risk. The impact includes potential loss of data, interrupted workflows, and reputational damage.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41405.
• Implement rate limiting on the MS Teams webhook endpoint to mitigate resource exhaustion, even after patching.
• Monitor web server logs (category webserver, product linux) for unusual traffic patterns and large request sizes to the MS Teams webhook endpoint.
• Deploy the Sigma rule Detect High Number of Requests to Teams Webhook to identify potential exploitation attempts.

]]>mediumadvisoryresource-exhaustionwebhookcve-2026-41405https://feed.craftedsignal.io/briefs/2026-04-stripe-webhook-bypass/Fri, 24 Apr 2026 15:43:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-stripe-webhook-bypass/A vulnerability in the Stripe webhook handler allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without payment, stemming from an empty StripeWebhookSecret and lack of PaymentMethod validation, enabling cross-gateway exploitation.A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. Disclosed on 2025-04-15 and patched the same day in v0.12.10, the vulnerability stems from three compounding flaws: the Stripe webhook endpoint does not reject requests when StripeWebhookSecret is empty (the default), any attacker can compute valid webhook signatures when the HMAC secret is empty, and the Recharge function does not validate that the order’s PaymentMethod matches the callback source. This enables cross-gateway exploitation where orders created via any payment method can be fulfilled through a forged Stripe webhook. This vulnerability allows for financial fraud through unlimited API quota acquisition without payment.

Attack Chain

1. Attacker registers a user account on the target platform.
2. Attacker calls POST /api/user/pay to create an Epay top-up order, setting the amount. The order is stored with a pending status.
3. Attacker queries GET /api/user/topup/self to retrieve the trade_no of the pending order.
4. Attacker computes an HMAC-SHA256 signature with an empty key over a crafted checkout.session.completed payload. This payload contains the stolen trade_no as the client_reference_id.
5. Attacker sends a POST request to /api/stripe/webhook with the forged payload and a crafted Stripe-Signature header.
6. The server verifies the signature, which passes because the StripeWebhookSecret is empty.
7. The server calls the Recharge() function, which finds the Epay order by trade_no, marks the order as success, and credits the attacker’s account with the full quota.
8. The attacker repeats steps 2-6 indefinitely to accumulate unlimited credits, leading to financial fraud.

Impact

This vulnerability allows attackers to obtain unlimited API quota without payment, leading to financial fraud. The operator of the vulnerable system faces financial losses due to fraudulent quota consumption against upstream AI providers such as OpenAI, Anthropic, and Google. The fraudulent top-ups can appear as normal transactions in system logs, making detection challenging. Due to the default insecure configuration, virtually all deployments with any payment method enabled are vulnerable, creating a wide exposure.

Recommendation

• Set StripeWebhookSecret to a non-empty value to prevent empty-key HMAC forgery, mitigating the primary attack vector (Flaw 1).
• Apply a reverse proxy (Nginx, Caddy, etc.) to deny access to /api/stripe/webhook if Stripe is not configured, as a temporary workaround.
• Deploy the Sigma rule Detect Forged Stripe Webhook Request to identify potential exploitation attempts by monitoring requests to the webhook endpoint with empty secrets or invalid signatures.
• Upgrade to v0.12.10 immediately, as it addresses all three flaws completely.

]]>criticaladvisorystripewebhooksignature-bypassquota-fraudhttps://feed.craftedsignal.io/briefs/2026-04-budibase-rce/Fri, 03 Apr 2026 16:16:41 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-budibase-rce/Budibase versions before 3.33.4 are susceptible to unauthenticated remote code execution, where a threat actor can trigger a Bash step within an automation via the public webhook endpoint, leading to code execution as root within the container.Budibase, an open-source low-code platform, is vulnerable to remote code execution (RCE) in versions prior to 3.33.4. This vulnerability, identified as CVE-2026-35216, allows an unauthenticated attacker to execute arbitrary commands on the Budibase server. The attack involves leveraging the public webhook endpoint to trigger an automation containing a Bash step. Due to the lack of authentication, malicious actors can directly interact with the webhook to initiate the execution. The process runs as root within the container, increasing the severity of the impact. Budibase patched this vulnerability in version 3.33.4. Defenders must upgrade to the latest version to mitigate this threat.

Attack Chain

1. The attacker identifies a Budibase instance running a version prior to 3.33.4.
2. The attacker locates a public webhook endpoint exposed by the Budibase instance.
3. The attacker crafts a malicious HTTP request targeting the webhook endpoint.
4. The crafted request triggers a pre-configured automation within Budibase.
5. The automation contains a Bash step that executes attacker-controlled commands.
6. The Bash script executes as root within the container.
7. The attacker gains control of the Budibase server.

Impact

Successful exploitation of CVE-2026-35216 allows an unauthenticated attacker to achieve remote code execution (RCE) on the affected Budibase server. Since the process executes as root within the container, the attacker gains complete control over the Budibase instance. This can lead to data breaches, service disruption, or further lateral movement within the network. Organizations using vulnerable Budibase versions are at high risk of compromise.

Recommendation

• Upgrade Budibase to version 3.33.4 or later to patch CVE-2026-35216.
• Monitor web server logs for suspicious POST requests to webhook endpoints associated with Budibase to detect exploitation attempts.
• Deploy the Sigma rule provided to detect the execution of bash commands in automations triggered by webhooks.

]]>criticaladvisoryCVE-2026-35216budibasercewebhookhttps://feed.craftedsignal.io/briefs/2026-03-openclaw-rate-limit-bypass/Tue, 31 Mar 2026 12:16:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-openclaw-rate-limit-bypass/OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets leading to forged webhook submission.<p>OpenClaw versions prior to 2026.3.12 are vulnerable to a rate-limiting bypass (CVE-2026-34505). The vulnerability exists because rate limiting is only applied after successful webhook authentication. This design flaw enables attackers to send numerous authentication requests with incorrect secrets without triggering rate limits. The vulnerability was reported on March 31, 2026. Successful exploitation allows attackers to systematically guess webhook secrets and subsequently submit forged…</p> criticaladvisoryrate-limitingbrute-forcewebhookcve-2026-34505https://feed.craftedsignal.io/briefs/2026-03-openclaw-auth-bypass/Sun, 29 Mar 2026 13:17:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-openclaw-auth-bypass/OpenClaw before 2026.3.12 is vulnerable to an authentication bypass in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing unauthenticated network attackers to inject forged Feishu events and trigger downstream tool execution.OpenClaw before version 2026.3.12 is susceptible to an authentication bypass vulnerability (CVE-2026-32974) affecting Feishu webhook integrations. This vulnerability arises when the verificationToken is configured without the encryptKey. This configuration flaw enables unauthenticated attackers to forge Feishu events and send them to the webhook endpoint. Successful exploitation allows attackers to trigger arbitrary downstream tool execution within the OpenClaw environment. This is a…

]]>highadvisoryauthentication-bypasswebhookcve-2026-32974