https://feed.craftedsignal.io/vendors/stripe/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 12:16:16 +0000https://feed.craftedsignal.io/briefs/2026-05-pmpro-stripe-webhook-vuln/Sat, 02 May 2026 12:16:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-pmpro-stripe-webhook-vuln/The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.The Paid Memberships Pro plugin, a popular WordPress plugin for managing paid subscriptions, contains a vulnerability (CVE-2026-4100) that allows authenticated attackers with minimal privileges (Subscriber-level access) to manipulate Stripe webhook configurations. This flaw exists in versions up to and including 3.6.5 due to missing capability checks on specific AJAX handlers. An attacker exploiting this vulnerability can delete, create, or rebuild the site’s Stripe webhook, leading to significant disruptions in payment processing, subscription renewal synchronization, cancellation handling, and management of failed payments. This vulnerability puts revenue streams and customer relationships at risk for any organization using the affected plugin versions.

Attack Chain

1. An attacker gains Subscriber-level access to the WordPress site, either through registration or compromised credentials.
2. The attacker crafts a malicious AJAX request targeting the wp_ajax_pmpro_stripe_create_webhook endpoint.
3. Alternatively, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_delete_webhook endpoint.
4. Or, the attacker crafts a malicious AJAX request to the wp_ajax_pmpro_stripe_rebuild_webhook endpoint.
5. Due to missing capability checks, the server processes the request without proper authorization.
6. The Stripe webhook configuration is modified, deleted, or rebuilt based on the attacker’s request.
7. Legitimate payment processing and subscription management processes fail due to the altered webhook configuration.
8. The attacker effectively disrupts the site’s ability to collect payments and manage subscriptions.

Impact

Successful exploitation of this vulnerability allows an attacker to completely disrupt a WordPress site’s payment processing and subscription management functionalities. This can result in significant financial losses due to interrupted sales and subscription renewals. Furthermore, the disruption can damage customer trust and lead to churn as users experience issues with their subscriptions. The vulnerability affects all sites using Paid Memberships Pro plugin versions up to 3.6.5.

Recommendation

• Immediately update the Paid Memberships Pro plugin to the latest version to patch CVE-2026-4100.
• Monitor WordPress web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, or pmpro_stripe_rebuild_webhook using the “Detect Suspicious PMPro Stripe Webhook AJAX Requests” Sigma rule.
• Review user roles and permissions to minimize the number of users with Subscriber-level access as a temporary mitigation.

]]>highadvisorywordpressstripewebhookvulnerabilitypluginhttps://feed.craftedsignal.io/briefs/2026-04-stripe-webhook-bypass/Fri, 24 Apr 2026 15:43:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-stripe-webhook-bypass/A vulnerability in the Stripe webhook handler allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without payment, stemming from an empty StripeWebhookSecret and lack of PaymentMethod validation, enabling cross-gateway exploitation.A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. Disclosed on 2025-04-15 and patched the same day in v0.12.10, the vulnerability stems from three compounding flaws: the Stripe webhook endpoint does not reject requests when StripeWebhookSecret is empty (the default), any attacker can compute valid webhook signatures when the HMAC secret is empty, and the Recharge function does not validate that the order’s PaymentMethod matches the callback source. This enables cross-gateway exploitation where orders created via any payment method can be fulfilled through a forged Stripe webhook. This vulnerability allows for financial fraud through unlimited API quota acquisition without payment.

Attack Chain

1. Attacker registers a user account on the target platform.
2. Attacker calls POST /api/user/pay to create an Epay top-up order, setting the amount. The order is stored with a pending status.
3. Attacker queries GET /api/user/topup/self to retrieve the trade_no of the pending order.
4. Attacker computes an HMAC-SHA256 signature with an empty key over a crafted checkout.session.completed payload. This payload contains the stolen trade_no as the client_reference_id.
5. Attacker sends a POST request to /api/stripe/webhook with the forged payload and a crafted Stripe-Signature header.
6. The server verifies the signature, which passes because the StripeWebhookSecret is empty.
7. The server calls the Recharge() function, which finds the Epay order by trade_no, marks the order as success, and credits the attacker’s account with the full quota.
8. The attacker repeats steps 2-6 indefinitely to accumulate unlimited credits, leading to financial fraud.

Impact

This vulnerability allows attackers to obtain unlimited API quota without payment, leading to financial fraud. The operator of the vulnerable system faces financial losses due to fraudulent quota consumption against upstream AI providers such as OpenAI, Anthropic, and Google. The fraudulent top-ups can appear as normal transactions in system logs, making detection challenging. Due to the default insecure configuration, virtually all deployments with any payment method enabled are vulnerable, creating a wide exposure.

Recommendation

• Set StripeWebhookSecret to a non-empty value to prevent empty-key HMAC forgery, mitigating the primary attack vector (Flaw 1).
• Apply a reverse proxy (Nginx, Caddy, etc.) to deny access to /api/stripe/webhook if Stripe is not configured, as a temporary workaround.
• Deploy the Sigma rule Detect Forged Stripe Webhook Request to identify potential exploitation attempts by monitoring requests to the webhook endpoint with empty secrets or invalid signatures.
• Upgrade to v0.12.10 immediately, as it addresses all three flaws completely.

]]>criticaladvisorystripewebhooksignature-bypassquota-fraudhttps://feed.craftedsignal.io/briefs/2026-06-otter-blocks-bypass/Mon, 24 Jun 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-otter-blocks-bypass/CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.The Otter Blocks plugin, a popular WordPress extension, is susceptible to a purchase verification bypass vulnerability identified as CVE-2026-2892. This flaw affects all versions up to and including 3.1.4. The vulnerability stems from the plugin’s reliance on an unsigned cookie, ‘o_stripe_data’, to determine Stripe product ownership for unauthenticated users. The ‘get_customer_data’ method uses this cookie, and the subsequent ‘check_purchase’ method trusts its contents without proper server-side validation against the Stripe API. This lack of verification enables attackers to gain unauthorized access to purchase-gated content. The target product ID is often exposed in the checkout block’s HTML source, further simplifying the exploit. Successful exploitation allows attackers to bypass payment requirements, potentially impacting content creators and businesses relying on the plugin for revenue generation.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using the vulnerable Otter Blocks plugin (version <= 3.1.4).
2. The attacker examines the HTML source code of a checkout block on the target site to identify the target product ID.
3. The attacker crafts a malicious ‘o_stripe_data’ cookie containing the target product ID.
4. The attacker sets the forged ‘o_stripe_data’ cookie in their browser.
5. The attacker navigates to the purchase-gated content on the WordPress site.
6. The ‘get_customer_data’ method reads the forged ‘o_stripe_data’ cookie.
7. The ‘check_purchase’ method incorrectly validates the forged purchase data without server-side verification against the Stripe API.
8. The attacker gains unauthorized access to the purchase-gated content, bypassing the intended payment requirement.

Impact

Successful exploitation of CVE-2026-2892 allows unauthenticated attackers to bypass purchase verification mechanisms implemented by the Otter Blocks plugin. This can lead to unauthorized access to premium content, resulting in revenue loss for content creators and businesses using the plugin. The number of potentially affected websites is significant, given the popularity of WordPress and the Otter Blocks plugin. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.

Recommendation

• Upgrade the Otter Blocks plugin to a version greater than 3.1.4 to patch CVE-2026-2892.
• Deploy the provided Sigma rules to detect potential exploitation attempts targeting the vulnerable plugin.
• Monitor web server logs (category webserver, product linux) for suspicious cookie manipulation activity, specifically targeting the ‘o_stripe_data’ cookie.
• Implement server-side validation of purchase data against the Stripe API to prevent cookie forgery attacks.

]]>highadvisorywordpresspluginpurchase-bypassCVE-2026-2892defense-evasion