CVE-2026-4100
Published: 02 May 2026
Summary
CVE-2026-4100 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordfence (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires enforcement of approved authorizations, addressing the missing capability checks on the vulnerable AJAX handlers that allow unauthorized Stripe webhook modifications.
Enforces least privilege to prevent subscriber-level users from accessing or modifying critical Stripe webhook configurations.
Restricts access to mechanisms that change system configurations, such as the AJAX handlers altering Stripe webhook settings.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin with missing authorization on AJAX handlers allows low-privilege authenticated users to modify/disrupt Stripe webhook config, enabling exploitation of public-facing apps (T1190) and privilege escalation via unauthorized actions (T1068).
NVD Description
The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX…
more
handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site's Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.
Deeper analysisAI
CVE-2026-4100 is a vulnerability in the Paid Memberships Pro plugin for WordPress, affecting all versions up to and including 3.6.5. It stems from missing capability checks on the AJAX handlers `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook`, enabling unauthorized modification and disruption of Stripe webhook configuration. The issue is rated with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) and maps to CWE-862 (Missing Authorization).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction. By invoking the affected AJAX endpoints, they can create, delete, or rebuild the site's Stripe webhook, which disrupts critical payment processing functions including subscription renewal synchronization, cancellation handling, and failed payment management.
Mitigation details are available in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/5b333a3d-e416-42aa-9722-5406df0a64b3?source=cve and a patch via the GitHub pull request at https://github.com/strangerstudios/paid-memberships-pro/pull/3615. WordPress site administrators using the plugin should update to a version beyond 3.6.5 to address the missing authorization checks.
Details
- CWE(s)