Description
The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wps_sfw_admin_cancel_susbcription()` function in all versions up to, and including, 1.9.2. This is due to the function being hooked to the `init` action without any authentication or authorization checks, and only performing a non-empty check on the nonce parameter without actually validating it via `wp_verify_nonce()`. This makes it possible for unauthenticated attackers to cancel any active WooCommerce subscription by sending a crafted GET request with an arbitrary nonce value via the `wps_subscription_id` parameter.
Published: 2026-03-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Cancellation of Subscriptions
Action: Update Plugin
AI Analysis

Impact

The Subscriptions for WooCommerce plugin contains a missing capability check in the wps_sfw_admin_cancel_susbcription() function. The function is hooked to the WordPress init action without any authentication or authorization checks, and it only verifies that a nonce parameter is not empty, without calling wp_verify_nonce(). Because of this flaw, an unauthenticated attacker can cancel any active WooCommerce subscription by sending a crafted GET request that includes a non‑verified nonce value via the wps_subscription_id parameter. The vulnerability represents a missing authorization flaw (CWE-862) and results in the unauthorized modification of subscription status.

Affected Systems

The vendor is wpswings and the affected product is Subscriptions for WooCommerce. All releases up to and including version 1.9.2 are vulnerable. No other versions are known to be impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires no credentials; the attacker only needs to construct a GET request to the plugin’s cancellation endpoint with an arbitrary, non‑verified nonce. The lack of authentication barriers makes the attack straightforward and increases the risk of unauthorized subscription cancellation.

Generated by OpenCVE AI on March 18, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Subscriptions for WooCommerce plugin to the latest release; verify that the vendor’s website provides an update that fixes the vulnerability.
  • Ensure the update is properly applied by confirming that subscription cancellations now require valid user credentials and proper nonce verification.
  • If an immediate update is not possible, block or sanitize GET requests that target the wps_sfw_admin_cancel_susbcription() action, or manually add a capability check to the function to prevent unauthenticated access.
  • Monitor WooCommerce logs for unexpected subscription cancellation activity to detect potential exploitation attempts.
  • Implement or update web application firewall rules to reject crafted cancel requests containing unverified nonce parameters.

Generated by OpenCVE AI on March 18, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpswings
Wpswings subscriptions For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpswings
Wpswings subscriptions For Woocommerce

Wed, 18 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wps_sfw_admin_cancel_susbcription()` function in all versions up to, and including, 1.9.2. This is due to the function being hooked to the `init` action without any authentication or authorization checks, and only performing a non-empty check on the nonce parameter without actually validating it via `wp_verify_nonce()`. This makes it possible for unauthenticated attackers to cancel any active WooCommerce subscription by sending a crafted GET request with an arbitrary nonce value via the `wps_subscription_id` parameter.
Title Subscriptions for WooCommerce <= 1.9.2 - Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpswings Subscriptions For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:05.407Z

Reserved: 2026-02-04T19:42:00.982Z

Link: CVE-2026-1926

cve-icon Vulnrichment

Updated: 2026-03-18T14:18:47.023Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T04:17:14.887

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-1926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:21Z

Weaknesses