{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/stripe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4100"}],"_cs_exploited":false,"_cs_products":["Paid Memberships Pro plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","stripe","webhook","vulnerability","plugin"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site\u0026rsquo;s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003ewp_ajax_pmpro_stripe_create_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_delete_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eOr, the attacker crafts a malicious AJAX request to the \u003ccode\u003ewp_ajax_pmpro_stripe_rebuild_webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to missing capability checks, the server processes the request without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker\u0026rsquo;s request.\u003c/li\u003e\n\u003cli\u003eLegitimate payment processing and subscription management processes fail due to the altered webhook configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker effectively disrupts the site\u0026rsquo;s ability to collect payments and manage subscriptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site\u0026rsquo;s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003epmpro_stripe_create_webhook\u003c/code\u003e, \u003ccode\u003epmpro_stripe_delete_webhook\u003c/code\u003e, or \u003ccode\u003epmpro_stripe_rebuild_webhook\u003c/code\u003e using the \u0026ldquo;Detect Suspicious PMPro Stripe Webhook AJAX Requests\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-pmpro-stripe-webhook-vuln/","summary":"The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.","title":"Paid Memberships Pro Plugin Vulnerability Allows Unauthorized Stripe Webhook Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-pmpro-stripe-webhook-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Stripe Webhook"],"_cs_severities":["critical"],"_cs_tags":["stripe","webhook","signature-bypass","quota-fraud"],"_cs_type":"advisory","_cs_vendors":["Stripe"],"content_html":"\u003cp\u003eA critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. Disclosed on 2025-04-15 and patched the same day in v0.12.10, the vulnerability stems from three compounding flaws: the Stripe webhook endpoint does not reject requests when \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e is empty (the default), any attacker can compute valid webhook signatures when the HMAC secret is empty, and the \u003ccode\u003eRecharge\u003c/code\u003e function does not validate that the order\u0026rsquo;s \u003ccode\u003ePaymentMethod\u003c/code\u003e matches the callback source. This enables cross-gateway exploitation where orders created via any payment method can be fulfilled through a forged Stripe webhook. This vulnerability allows for financial fraud through unlimited API quota acquisition without payment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers a user account on the target platform.\u003c/li\u003e\n\u003cli\u003eAttacker calls \u003ccode\u003ePOST /api/user/pay\u003c/code\u003e to create an Epay top-up order, setting the \u003ccode\u003eamount\u003c/code\u003e. The order is stored with a \u003ccode\u003epending\u003c/code\u003e status.\u003c/li\u003e\n\u003cli\u003eAttacker queries \u003ccode\u003eGET /api/user/topup/self\u003c/code\u003e to retrieve the \u003ccode\u003etrade_no\u003c/code\u003e of the pending order.\u003c/li\u003e\n\u003cli\u003eAttacker computes an \u003ccode\u003eHMAC-SHA256\u003c/code\u003e signature with an empty key over a crafted \u003ccode\u003echeckout.session.completed\u003c/code\u003e payload. This payload contains the stolen \u003ccode\u003etrade_no\u003c/code\u003e as the \u003ccode\u003eclient_reference_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/stripe/webhook\u003c/code\u003e with the forged payload and a crafted \u003ccode\u003eStripe-Signature\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe server verifies the signature, which passes because the \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e is empty.\u003c/li\u003e\n\u003cli\u003eThe server calls the \u003ccode\u003eRecharge()\u003c/code\u003e function, which finds the Epay order by \u003ccode\u003etrade_no\u003c/code\u003e, marks the order as \u003ccode\u003esuccess\u003c/code\u003e, and credits the attacker\u0026rsquo;s account with the full quota.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-6 indefinitely to accumulate unlimited credits, leading to financial fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows attackers to obtain unlimited API quota without payment, leading to financial fraud. The operator of the vulnerable system faces financial losses due to fraudulent quota consumption against upstream AI providers such as OpenAI, Anthropic, and Google. The fraudulent top-ups can appear as normal transactions in system logs, making detection challenging. Due to the default insecure configuration, virtually all deployments with any payment method enabled are vulnerable, creating a wide exposure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSet \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e to a non-empty value to prevent empty-key HMAC forgery, mitigating the primary attack vector (Flaw 1).\u003c/li\u003e\n\u003cli\u003eApply a reverse proxy (Nginx, Caddy, etc.) to deny access to \u003ccode\u003e/api/stripe/webhook\u003c/code\u003e if Stripe is not configured, as a temporary workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Forged Stripe Webhook Request\u003c/code\u003e to identify potential exploitation attempts by monitoring requests to the webhook endpoint with empty secrets or invalid signatures.\u003c/li\u003e\n\u003cli\u003eUpgrade to v0.12.10 immediately, as it addresses all three flaws completely.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T15:43:25Z","date_published":"2026-04-24T15:43:25Z","id":"/briefs/2026-04-stripe-webhook-bypass/","summary":"A vulnerability in the Stripe webhook handler allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without payment, stemming from an empty StripeWebhookSecret and lack of PaymentMethod validation, enabling cross-gateway exploitation.","title":"Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud","url":"https://feed.craftedsignal.io/briefs/2026-04-stripe-webhook-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-2892"}],"_cs_exploited":false,"_cs_products":["Otter Blocks plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","purchase-bypass","CVE-2026-2892","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Stripe","WordPress"],"content_html":"\u003cp\u003eThe Otter Blocks plugin, a popular WordPress extension, is susceptible to a purchase verification bypass vulnerability identified as CVE-2026-2892. This flaw affects all versions up to and including 3.1.4. The vulnerability stems from the plugin\u0026rsquo;s reliance on an unsigned cookie, \u0026lsquo;o_stripe_data\u0026rsquo;, to determine Stripe product ownership for unauthenticated users. The \u0026lsquo;get_customer_data\u0026rsquo; method uses this cookie, and the subsequent \u0026lsquo;check_purchase\u0026rsquo; method trusts its contents without proper server-side validation against the Stripe API. This lack of verification enables attackers to gain unauthorized access to purchase-gated content. The target product ID is often exposed in the checkout block\u0026rsquo;s HTML source, further simplifying the exploit. Successful exploitation allows attackers to bypass payment requirements, potentially impacting content creators and businesses relying on the plugin for revenue generation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Otter Blocks plugin (version \u0026lt;= 3.1.4).\u003c/li\u003e\n\u003cli\u003eThe attacker examines the HTML source code of a checkout block on the target site to identify the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u0026lsquo;o_stripe_data\u0026rsquo; cookie containing the target product ID.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie in their browser.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the purchase-gated content on the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;get_customer_data\u0026rsquo; method reads the forged \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;check_purchase\u0026rsquo; method incorrectly validates the forged purchase data without server-side verification against the Stripe API.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the purchase-gated content, bypassing the intended payment requirement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-2892 allows unauthenticated attackers to bypass purchase verification mechanisms implemented by the Otter Blocks plugin. This can lead to unauthorized access to premium content, resulting in revenue loss for content creators and businesses using the plugin. The number of potentially affected websites is significant, given the popularity of WordPress and the Otter Blocks plugin. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Otter Blocks plugin to a version greater than 3.1.4 to patch CVE-2026-2892.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect potential exploitation attempts targeting the vulnerable plugin.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious cookie manipulation activity, specifically targeting the \u0026lsquo;o_stripe_data\u0026rsquo; cookie.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation of purchase data against the Stripe API to prevent cookie forgery attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-24T12:00:00Z","date_published":"2024-06-24T12:00:00Z","id":"/briefs/2026-06-otter-blocks-bypass/","summary":"CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.","title":"Otter Blocks Plugin Purchase Verification Bypass Vulnerability (CVE-2026-2892)","url":"https://feed.craftedsignal.io/briefs/2026-06-otter-blocks-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Stripe","version":"https://jsonfeed.org/version/1.1"}