Simple Membership <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation via Forged Stripe 'charge.refunded' Webhook

An unauthenticated attacker sends a crafted HTTP POST request to the site's Stripe webhook endpoint (`/?swpm_process_stripe_subscription=1&hook=1`) with a JSON body mimicking a Stripe `charge.refunded` event that includes a victim's subscription ID. Because the plugin does not verify the webhook payload's authenticity when no Stripe webhook signing secret is configured (the default out-of-the-box state), the forged event is processed as legitimate, setting the target member's `account_state` to `inactive` and triggering cancellation hooks, transaction-record status changes, and cancellation notification emails [ref_id=1][ref_id=2].

The vulnerability resides in the Stripe webhook handler included via `ipn/swpm-stripe-webhook-handler.php`, which is triggered when the `swpm_process_stripe_subscription` and `hook` query parameters are set to `1` (see `swpm_ipn_listener()` in `class.swpm-wp-loaded-tasks.php` [ref_id=1][ref_id=2]). The handler processes `charge.refunded` events without verifying the authenticity of the webhook payload when no Stripe webhook signing secret is configured, allowing an unauthenticated attacker to forge a refund event and deactivate arbitrary member accounts.

The patch does not appear in the provided bundle; however, the advisory indicates that the fix requires configuring a Stripe webhook signing secret so that incoming webhook payloads are verified via HMAC before processing. Sites that have set the `stripe-webhook-signing-secret` option are routed to the properly verified HMAC path and are not affected. Without that secret, the plugin accepts any POST to the webhook endpoint as authentic, which the patch closes by enforcing signature validation.