Impact
An Insecure Direct Object Reference in the ProfilePress plugin before version 4.16.17 allows an authenticated user with a Subscriber+ role to cancel other users’ active subscriptions. The plugin does not verify ownership of the targeted subscription before performing the cancellation, enabling an attacker to terminate active plans belonging to other users.
Affected Systems
ProfilePress WordPress plugin for paid memberships, e-commerce, user registration, login, user profile, and content restriction. Versions prior to 4.16.17 are affected.
Risk and Exploitability
This vulnerability exposes users to unauthorized cancellation of their active subscriptions, which can disrupt service availability and cause financial loss to the site owner. The risk is significant for sites that rely on subscription revenue. Exploitation can be achieved by any authenticated user with a Subscriber+ role, by simply supplying the identifier of another user’s subscription to the cancellation endpoint. EPSS score is <1%, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 8.1 indicates high severity.
OpenCVE Enrichment