Cyber Resilience

CVE-2026-4100

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0005 15.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4100 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordfence (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-4100 is a vulnerability in the Paid Memberships Pro plugin for WordPress, affecting all versions up to and including 3.6.5. It stems from missing capability checks on the AJAX handlers `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook`, enabling unauthorized modification and disruption of Stripe webhook configuration. The issue is rated with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) and maps to CWE-862 (Missing Authorization).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction. By invoking the affected AJAX endpoints, they can create, delete, or rebuild the site's Stripe webhook, which disrupts critical payment processing functions including subscription renewal synchronization, cancellation handling, and failed payment management.

Mitigation details are available in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/5b333a3d-e416-42aa-9722-5406df0a64b3?source=cve and a patch via the GitHub pull request at https://github.com/strangerstudios/paid-memberships-pro/pull/3615. WordPress site administrators using the plugin should update to a version beyond 3.6.5 to address the missing authorization checks.

EU & UK References

Vulnerability details

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX…

more

handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site's Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability in public-facing WordPress plugin with missing authorization on AJAX handlers allows low-privilege authenticated users to modify/disrupt Stripe webhook config, enabling exploitation of public-facing apps (T1190) and privilege escalation via unauthorized actions (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862
CVE-2025-2110Shared CWE-862
CVE-2025-27270Shared CWE-862
CVE-2026-6510Shared CWE-862
CVE-2026-0974Shared CWE-862

Affected Assets

Wordfence
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires enforcement of approved authorizations, addressing the missing capability checks on the vulnerable AJAX handlers that allow unauthorized Stripe webhook modifications.

prevent

Enforces least privilege to prevent subscriber-level users from accessing or modifying critical Stripe webhook configurations.

prevent

Restricts access to mechanisms that change system configurations, such as the AJAX handlers altering Stripe webhook settings.

References