Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.
Published: 2026-06-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Insecure Direct Object Reference in the ProfilePress plugin before version 4.16.17 allows an authenticated user with a Subscriber+ role to cancel other users’ active subscriptions. The plugin does not verify ownership of the targeted subscription before performing the cancellation, enabling an attacker to terminate active plans belonging to other users.

Affected Systems

ProfilePress WordPress plugin for paid memberships, e-commerce, user registration, login, user profile, and content restriction. Versions prior to 4.16.17 are affected.

Risk and Exploitability

This vulnerability exposes users to unauthorized cancellation of their active subscriptions, which can disrupt service availability and cause financial loss to the site owner. The risk is significant for sites that rely on subscription revenue. Exploitation can be achieved by any authenticated user with a Subscriber+ role, by simply supplying the identifier of another user’s subscription to the cancellation endpoint. EPSS score is <1%, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 8.1 indicates high severity.

Generated by OpenCVE AI on June 29, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ProfilePress plugin to version 4.16.17 or newer to address the IDOR flaw.
  • If an upgrade is not immediately possible, restrict the subscription cancellation feature to the subscription owner or remove the ability to cancel from the front‑end for all users.
  • As a temporary measure, enforce stricter access controls by validating the subscription owner on each cancellation request, or use a server‑side filter to block requests where the subscriber ID does not match the logged‑in user.

Generated by OpenCVE AI on June 29, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Properfraction
Properfraction paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress
Wordpress wordpress
Vendors & Products Properfraction
Properfraction paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-639

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639

Sat, 27 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.
Title ProfilePress < 4.16.17 - Subscriber+ Subscription Cancellation via IDOR
References

Subscriptions

Properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-29T12:45:15.926Z

Reserved: 2026-06-04T07:38:16.293Z

Link: CVE-2026-10820

cve-icon Vulnrichment

Updated: 2026-06-29T12:45:11.772Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T19:30:02Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-639

    Authorization Bypass Through User-Controlled Key