Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.
Published: 2026-06-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Insecure Direct Object Reference in the ProfilePress plugin before version 4.16.17 allows an authenticated user with Subscriber other user’s subscription. The plugin does not verify ownership of the target subscription before performing the cancellation, enabling an attacker to terminate active plans belonging to other users.

Affected Systems

ProfilePress WordPress plugin for paid memberships, e-commerce, user registration, login, user profile, and content restriction. Versions prior to 4.16.17 are affected.

Risk and Exploitability

This vulnerability exposes users to unauthorized cancellation of their active subscriptions, which can disrupt service availability and cause financial loss to the site owner. The risk is significant for sites that rely on subscription revenue. Exploitation can be achieved by any authenticated user with a Subscriber+ role, by simply supplying the identifier of another user’s subscription to the cancellation endpoint. EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. No CVSS score is provided, but the impact on business continuity and revenue suggests a high severity.

Generated by OpenCVE AI on June 27, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ProfilePress plugin to version 4.16.17 or newer to address the IDOR flaw.
  • If an upgrade is not immediately possible, restrict the subscription cancellation feature to the subscription owner or remove the ability to cancel from the front‑end for all users.
  • As a temporary measure, enforce stricter access controls by validating the subscription owner on each cancellation request, or use a server‑side filter to block requests where the subscriber ID does not match the logged‑in user.

Generated by OpenCVE AI on June 27, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639

Sat, 27 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.
Title ProfilePress < 4.16.17 - Subscriber+ Subscription Cancellation via IDOR
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-27T06:00:02.084Z

Reserved: 2026-06-04T07:38:16.293Z

Link: CVE-2026-10820

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T07:30:13Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key