A Privilege Escalation vulnerability has been identified in the WordPress Simple Membership Plugin. This vulnerability could allow a malicious actor to escalate their low privileged account to something with higher privileges, and ultimately take full control of the website.

This vulnerability was discovered and responsibly reported by Rafie Muhammad (Patchstack).

The vulnerability is a Privilege Escalation vulnerability that occurs in the simple-membership.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to escalate their privileges on the website.


The vulnerability has a CVSS 3.1 score of 8.6, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Simple Membership Plugin prior to 4.3.5.


An attacker who successfully exploits this vulnerability could:

  • Escalate their low privileged account to something with higher privileges.
  • Take full control of the website.


Users of the Simple Membership Plugin can follow these actions to secure WordPress website:

  • Update the Plugin: Immediate action is required to update the Simple Membership Plugin to the most recent available version, specifically version 4.3.5 or newer. This update contains vital security fixes designed to rectify the Privilege Escalation vulnerability.
  • Regularly Update All Plugins: Keeping all website components up to date is a fundamental security practice.
  • Enhance Security Measures: Consider implementing additional security measures such as web application firewalls (WAFs), robust authentication protocols, and periodic security assessments. A comprehensive security strategy is essential to minimize potential exploitation attempts.


This vulnerability is a serious threat to the security of WordPress websites that use the Simple Membership Plugin. Users are strongly advised to update to the latest available version (at least 4.3.5) as soon as possible.