The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Simple Membership WordPress plugin before version 4.7.5 contains a critical vulnerability that combines two security failures: insufficient webhook validation and improper output encoding. When administrators fail to configure a Stripe signing secret, the plugin accepts unauthenticated webhook requests without cryptographic verification of their authenticity. Additionally, the plugin fails to escape user-controlled data from these webhooks before displaying it in administrator notices, creating a stored cross-site scripting (XSS) vulnerability. Any unauthenticated attacker can craft malicious Stripe webhook payloads to inject arbitrary JavaScript that executes in the browser context of logged-in administrators, potentially leading to credential theft, session hijacking, or further site compromise. This affects all WordPress installations using Simple Membership before 4.7.5, particularly those with incomplete security configuration.
While this CVE lacks mapped MITRE ATT&CK techniques, Casky's extended reasoning capabilities would detect the attack patterns underlying this vulnerability across multiple adversarial objectives: initial access through T1190 (Exploit Public-Facing Application), privilege escalation through T1548 (Abuse Elevation Control Mechanism) as attackers target administrator accounts, and execution through T1059 (Command and Scripting Interpreter) via injected JavaScript. Practitioners using Casky would observe findings highlighting improper input validation (CWE-20 class issues), missing webhook signature verification patterns, and dangerous dynamic content rendering in administrative interfaces. The platform's skill-based analysis would flag the absence of webhook authentication checks and identify XSS injection points, enabling security teams to prioritize remediation of both the configuration weakness and the underlying code defect before attackers exploit these chained failures.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11855. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation