VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 25 known issues Latest disclosed Mar 31, 2026

Simple Membership Vulnerabilities

Review known vulnerability records for the WordPress plugin Simple Membership (`simple-membership`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-34886, CVE-2026-1461 and CVE-2025-49333, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
25
High or Critical
9
Patch Coverage
100%
Last Updated
Apr 09, 2026
Priority CVE Quick Links

Fast paths into Simple Membership CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
23
CVE-2022-2317 Critical 4.1.3
CVE-2022-2317 Simple Membership Privilege Escalation

Simple Membership <= 4.1.2 - Membership Privilege Escalation

CVE-2023-41956 High 4.3.5
CVE-2023-41956 Simple Membership Vulnerability

Simple Membership <= 4.3.4 - Account Takeover via Password Reset

CVE-2022-2273 High 4.1.3
CVE-2022-2273 Simple Membership Privilege Escalation

Simple Membership <= 4.1.2 - Membership Privilege Escalation

CVE-2022-0328 High 4.0.9
CVE-2022-0328 Simple Membership Cross-Site Request Forgery

Simple Membership <= 4.0.8 - Cross-Site Request Forgery to Arbitrary Member Deletion

CVE-2019-14328 High 3.8.5
CVE-2019-14328 Simple Membership Cross-Site Request Forgery

Simple Membership <= 3.8.4 - Cross-Site Request Forgery

CVE-2016-10884 High 3.3.3
CVE-2016-10884 Simple Membership Cross-Site Request Forgery

Simple Membership <= 3.3.2 - Multiple Cross-Site Request Forgery

CVE-2023-41957 High 4.3.5
CVE-2023-41957 Simple Membership Privilege Escalation

Simple Membership <= 4.3.4 - Privilege escalation via Registration

CVE-2023-4719 High 4.3.6
CVE-2023-4719 Simple Membership Cross-Site Scripting

Simple Membership <= 4.3.5 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Simple Membership so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
25 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 8 high severity findings.
Recent CVEs
CVE-2026-34886, CVE-2026-1461 and CVE-2025-49333
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Simple Membership

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-34886
CVE-2026-34886: Simple Membership <= 4.7.1 - Missing Authorization

The Simple Membership plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.7.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Mar 31, 2026
Patched Release
4.7.2
Affected Versions
Versions up to 4.7.1
Next Step
Update to 4.7.2 or newer if supported.
Open CVE-2026-34886 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1461
CVE-2026-1461: Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting...

Published
Feb 18, 2026
Patched Release
4.7.1
Affected Versions
Versions up to 4.7.0
Next Step
Update to 4.7.1 or newer if supported.
Open CVE-2026-1461 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-49333
CVE-2025-49333: Simple Membership <= 4.6.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and abov...

Published
Jun 05, 2025
Patched Release
4.6.4
Affected Versions
Versions up to 4.6.3
Next Step
Update to 4.6.4 or newer if supported.
Open CVE-2025-49333 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-11088
CVE-2024-11088: Simple Membership <= 4.5.5 - Exposure of Private Personal Information to an Unauthorized Actor

The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been r...

Published
Nov 20, 2024
Patched Release
4.5.6
Affected Versions
Versions up to 4.5.5
Next Step
Update to 4.5.6 or newer if supported.
Open CVE-2024-11088 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-49682
CVE-2024-49682: Simple Membership <= 4.5.3 - Unauthenticated Open Redirect

The Simple Membership plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 4.5.3. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially malici...

Published
Oct 21, 2024
Patched Release
4.5.4
Affected Versions
Versions up to 4.5.3
Next Step
Update to 4.5.4 or newer if supported.
Open CVE-2024-49682 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-4383
CVE-2024-4383: Simple Membership <= 4.4.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.5 due to insufficient input sanitization and output escaping on user supplied attrib...

Published
May 03, 2024
Patched Release
4.4.6
Affected Versions
Versions up to 4.4.5
Next Step
Update to 4.4.6 or newer if supported.
Open CVE-2024-4383 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-3730
CVE-2024-3730: Simple Membership <= 4.4.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attrib...

Published
Apr 24, 2024
Patched Release
4.4.4
Affected Versions
Versions up to 4.4.3
Next Step
Update to 4.4.4 or newer if supported.
Open CVE-2024-3730 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-1985
CVE-2024-1985: Simple Membership <= 4.4.2 - Unauthenticated Stored Self-Based Cross-Site Scripting

The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

Published
Mar 05, 2024
Patched Release
4.4.3
Affected Versions
Versions up to 4.4.2
Next Step
Update to 4.4.3 or newer if supported.
Open CVE-2024-1985 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-22308
CVE-2024-22308: Simple Membership <= 4.4.1 - Open Redirect

The Simple Membership plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 4.4.1. This is due to insufficient validation on the redirect url supplied via the swpm_page_url parameter. This makes it possible for unauthenticated attackers to redi...

Published
Jan 19, 2024
Patched Release
4.4.2
Affected Versions
Versions up to 4.4.1
Next Step
Update to 4.4.2 or newer if supported.
Open CVE-2024-22308 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-50376
CVE-2023-50376: Simple Membership <= 4.3.8 - Reflected Cross-Site Scripting

The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to 4.3.9 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a...

Published
Dec 19, 2023
Patched Release
4.3.9
Affected Versions
Versions before 4.3.9
Next Step
Update to 4.3.9 or newer if supported.
Open CVE-2023-50376 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-6882
CVE-2023-6882: Simple Membership <= 4.3.8 - Reflected Cross-Site Scripting Vulnerability via environment_mode

The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environment_mode’ parameter in all versions up to, and including, 4.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attac...

Published
Dec 18, 2023
Patched Release
4.3.9
Affected Versions
Versions up to 4.3.8
Next Step
Update to 4.3.9 or newer if supported.
Open CVE-2023-6882 Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-41957
CVE-2023-41957: Simple Membership <= 4.3.4 - Privilege escalation via Registration

The Simple Membership plugin for WordPress is vulnerable to privilege escalation due to missing input validation on the create_swpm_user function in versions up to, and including, 4.3.4. This makes it possible for unauthenticated attackers to register users with arbitrary members...

Published
Sep 25, 2023
Patched Release
4.3.5
Affected Versions
Versions up to 4.3.4
Next Step
Update to 4.3.5 or newer if supported.
Open CVE-2023-41957 Report Open CVE Reference