How is CVE-2026-40726 exploited?

Network reachability (required): The attacker must reach the WordPress service over the network; there is no requirement for local or physical access. Authentication (not-required): No account or credentials of any privilege level are needed to exploit this vulnerability. Victim interaction (not-required): The attacker does not need to trick or involve any user to carry out the attack. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required.

What is the impact of CVE-2026-40726?

A successful attacker reads sensitive data exposed by the access-controlled endpoints, which may include user registration records, Stripe-related configuration, or payment metadata stored by the plugin. The attacker gains limited write access to affected resources, allowing modification of select data or plugin state without full administrative control. Confidentiality impact is high, meaning the attacker can extract stored records in full rather than only partial or indirect data. Availability of the service is not affected by this vulnerability; the attacker cannot crash or degrade the WordPress instance through this vector alone.

Back to search

HIGHCVE-2026-40726Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40726: WordPress User Registration Stripe plugin <= 1.3.14 - Broken Access Control vulnerability

Q: What is CVE-2026-40726?

Broken access control in the User Registration Stripe WordPress plugin (versions 1.3.14 and earlier) allows an unauthenticated remote attacker to reach restricted functionality without logging in. The vulnerability is exploitable over the network with no credentials required and no user interaction needed, as indicated by the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector. Successful exploitation gives the attacker read access to sensitive data and limited write capability against affected resources. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-40726 patched?

Because no fix version has been published for this CVE, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment ThemeGrill ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.14 versions.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Broken access control in the User Registration Stripe WordPress plugin (versions 1.3.14 and earlier) allows an unauthenticated remote attacker to reach restricted functionality without logging in. The vulnerability is exploitable over the network with no credentials required and no user interaction needed, as indicated by the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector. Successful exploitation gives the attacker read access to sensitive data and limited write capability against affected resources. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-40726 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle this plugin. No manual scanning configuration is required for coverage to apply.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 8.2 HIGH severity and weighting that score against each environment's compliance policy to determine urgency. Routing to the appropriate team inbox within each customer organization is handled automatically based on those policy settings.

Available

Patch

Because no fix version has been published for this CVE, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment ThemeGrill ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress service over the network; there is no requirement for local or physical access.
AuthenticationNot required
No account or credentials of any privilege level are needed to exploit this vulnerability.
Victim interactionNot required
The attacker does not need to trick or involve any user to carry out the attack.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required.

Blast Radius

A successful attacker reads sensitive data exposed by the access-controlled endpoints, which may include user registration records, Stripe-related configuration, or payment metadata stored by the plugin.
The attacker gains limited write access to affected resources, allowing modification of select data or plugin state without full administrative control.
Confidentiality impact is high, meaning the attacker can extract stored records in full rather than only partial or indirect data.
Availability of the service is not affected by this vulnerability; the attacker cannot crash or degrade the WordPress instance through this vector alone.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-40726 as of the publication date, the platform monitors the ThemeGrill advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression run and a PR opened against affected workloads. In the interim, compensating controls are worth considering: network-policy rules that restrict public access to the affected plugin endpoints, egress filtering on WordPress containers to limit lateral data exposure, and disabling the User Registration Stripe plugin on any site where Stripe integration is not actively required. Where compliance policy permits, HarborGuard can surface these recommendations as actionable findings routed to the appropriate team inbox.

See how HarborGuard automates this

Affected packages

ThemeGrill / User Registration Stripe
≤ 1.3.14

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

patchstack.com

Metrics

Get notified