Description
The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims.
Published: 2026-03-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Subscription Cancellation
Action: Patch
AI Analysis

Impact

The vulnerability stems from an insecure direct object reference in the ProfilePress plugin, whereby the AJAX handler for process_checkout() accepts a user-provided subscription ID via the change_plan_sub_id parameter. Key detail from the CVE description: the handler loads the subscription record and cancels or expires it without verifying that the subscription belongs to the requesting user. This flaw enables an authenticated user with Subscriber level or higher privileges to terminate or expire any other user's active subscription, resulting in immediate loss of paid access to the victim.

Affected Systems

The flaw affects all releases of the ProfilePress Paid Membership Plugin up to and including version 4.16.11, provided by the vendor properfraction. The plugin delivers ecommerce, user registration, login, profile, and restricted content functionality and is used within WordPress installations.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low exploitation probability. The issue is not listed in CISA’s KEV catalog. Attack requires an authenticated WordPress user with Subscriber or higher privileges and involves manipulating the change_plan_sub_id input during the checkout process. While the attack vector is contained to authenticated accounts, the impact is significant—any user’s subscription can be revoked, essentially causing a denial of service to the affected subscriber.

Generated by OpenCVE AI on March 17, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProfilePress to a version newer than 4.16.11.
  • If an immediate upgrade is not possible, restrict the change_plan_sub_id capability for Subscriber+ users by adjusting role permissions or adding custom code to enforce ownership checks.
  • Audit subscription cancellation logs for abnormal activity to detect potential abuse.

Generated by OpenCVE AI on March 17, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Properfraction
Properfraction paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress
Wordpress wordpress
Vendors & Products Properfraction
Properfraction paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims.
Title ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T15:39:47.219Z

Reserved: 2026-03-02T17:56:22.573Z

Link: CVE-2026-3453

cve-icon Vulnrichment

Updated: 2026-03-11T15:39:35.972Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T03:15:56.227

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-3453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:03Z

Weaknesses