CVE-2026-42663

Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in the WordPress Simple Membership plugin versions up to and including 4.7.2. The vulnerability is unauthenticated and occurs when user-supplied input is not properly sanitized or escaped before being output, allowing a malicious actor to inject arbitrary HTML/JavaScript into a page. This affects all versions <= 4.7.2 [1].

Exploitation

An unauthenticated attacker can craft a malicious link or form that, when interacted with by a privileged user (e.g., administrator) who clicks the link or visits a specially crafted page, triggers the injection of malicious scripts. The attacker does not need any prior authentication or special privileges, but successful exploitation requires user interaction from an authenticated admin [1].

Impact

Successful exploitation allows the attacker to inject scripts that can execute arbitrary actions in the context of the victim's session, such as redirecting visitors to malicious sites, displaying advertisements or other HTML payloads, stealing cookies, or performing other actions that compromise the integrity of the website and its users. The impact is moderate (CVSS 6.5) and is expected in mass-exploit campaigns [1].

Mitigation

The vulnerability is fixed in version 4.7.3. Users are strongly advised to update to version 4.7.3 or later immediately. For Patchstack users, an auto-update feature for vulnerable plugins can be enabled. No other workarounds are detailed in the reference [1].