Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to unauthorized membership payment bypass in all versions up to, and including, 4.16.11. This is due to a missing ownership verification on the `change_plan_sub_id` parameter in the `process_checkout()` function. This makes it possible for authenticated attackers, with subscriber level access and above, to reference another user's active subscription during checkout to manipulate proration calculations, allowing them to obtain paid lifetime membership plans without payment via the `ppress_process_checkout` AJAX action.
Published: 2026-04-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized payment bypass for membership plans
Action: Immediate Patch
AI Analysis

Impact

An authenticated user with subscriber level access or higher can manipulate the checkout process of the ProfilePress plugin by supplying a different subscription ID. A missing authorization check on the change_plan_sub_id parameter allows the attendee to reference another user's active subscription, causing the plugin to recalculate proration and credit the user with a paid lifetime membership without completing a payment. This flaw effectively lets attackers obtain paid privileges for no cost.

Affected Systems

The vulnerability affects the WordPress "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress" by properfraction. All plugin releases up to and including version 4.16.11 are impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact if exploited. While an EPSS score is not available, the flaw is not listed in the CISA KEV catalog, which suggests it may not yet be actively exploited in the wild. Because the exploit requires an authenticated account with subscriber or higher privileges, attackers who gain or already possess such access can easily conduct the bypass. The relatively high severity and the clear path for exploitation warrant urgent attention.

Generated by OpenCVE AI on April 4, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProfilePress to the latest release (version 4.16.12 or newer).
  • If an upgrade cannot be performed immediately, restrict the ppress_process_checkout AJAX action to administrator roles only, preventing subscriber accounts from triggering the checkout flow.
  • Ensure that the change_plan_sub_id parameter is validated to belong to the current user before processing any plan change.
  • Audit user activity logs for unauthorized plan upgrades and revert any changes that were made without proper payment.

Generated by OpenCVE AI on April 4, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Properfraction
Properfraction paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress
Wordpress wordpress
Vendors & Products Properfraction
Properfraction paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to unauthorized membership payment bypass in all versions up to, and including, 4.16.11. This is due to a missing ownership verification on the `change_plan_sub_id` parameter in the `process_checkout()` function. This makes it possible for authenticated attackers, with subscriber level access and above, to reference another user's active subscription during checkout to manipulate proration calculations, allowing them to obtain paid lifetime membership plans without payment via the `ppress_process_checkout` AJAX action.
Title Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Missing Authorization to Authenticated (Subscriber+) Membership Payment Bypass
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:19.145Z

Reserved: 2026-03-02T15:39:16.791Z

Link: CVE-2026-3445

cve-icon Vulnrichment

Updated: 2026-04-06T18:00:15.075Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T09:16:20.330

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-3445

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:20:51Z

Weaknesses