CVE-2026-34886: WordPress Simple Membership plugin <= 4.7.1 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken access control vulnerability affects the WordPress Simple Membership plugin at version 4.7.1 and earlier. The flaw is reachable over the network and requires no authentication, meaning any external party with HTTP access to a WordPress site running the affected plugin can exploit it. Successful exploitation allows an attacker to make unauthorized modifications to protected data or functionality, compromising the integrity of the site without any prior login. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer container images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the WordPress Simple Membership plugin.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and weights findings against each customer organization's compliance policy before routing alerts to the appropriate team inbox. Per-environment policy weighting ensures high-severity, no-authentication-required findings like this one are surfaced promptly to the teams responsible for WordPress workloads.
AvailableNo fix version has been published by the vendor as of the CVE publication date, so HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will follow without manual intervention once a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site.
- AuthenticationNot required
No account or credentials of any kind are needed; the vulnerability is exploitable by any unauthenticated party.
- Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit is fully self-contained.
- Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental setup required.
Blast Radius
- An attacker writes to or modifies WordPress data or plugin-controlled resources that are meant to be access-controlled, bypassing membership restrictions.
- Protected member-only content, user records, or plugin configuration can be altered without any valid session.
- Integrity of the WordPress site is directly compromised, and any data the plugin is responsible for protecting can be tampered with.
How HarborGuard Handles This
Available on HarborGuard: detection of this CVE is active across all customer environments scanning WordPress-based images, with ingestion from Patchstack and other upstream feeds occurring within minutes of publication. Because no fix version exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as the vendor ships a fix. For customers with auto-remediation enabled, that moment will trigger an image rebuild, a regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include network-policy rules that restrict public HTTP access to wp-admin and plugin endpoints, web application firewall rules targeting the affected plugin routes, and feature-flag or plugin-deactivation options where membership gating is not critical to the workload.
- wp.insider / Simple Membership≤ 4.7.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N