{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1926", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T19:42:00.982Z", "datePublished": "2026-03-18T03:37:14.702Z", "dateUpdated": "2026-04-08T17:31:05.407Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:05.407Z"}, "affected": [{"vendor": "wpswings", "product": "Subscriptions for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wps_sfw_admin_cancel_susbcription()` function in all versions up to, and including, 1.9.2. This is due to the function being hooked to the `init` action without any authentication or authorization checks, and only performing a non-empty check on the nonce parameter without actually validating it via `wp_verify_nonce()`. This makes it possible for unauthenticated attackers to cancel any active WooCommerce subscription by sending a crafted GET request with an arbitrary nonce value via the `wps_subscription_id` parameter."}], "title": "Subscriptions for WooCommerce <= 1.9.2 - Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eabfdf29-eca9-4e4b-b809-23a83f5a91ac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/tags/1.9.0/admin/class-subscriptions-for-woocommerce-admin.php#L831"}, {"url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/trunk/admin/class-subscriptions-for-woocommerce-admin.php#L831"}, {"url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/tags/1.9.0/includes/class-subscriptions-for-woocommerce.php#L248"}, {"url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/trunk/includes/class-subscriptions-for-woocommerce.php#L248"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3470887%40subscriptions-for-woocommerce%2Ftrunk&old=3449291%40subscriptions-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "shrikant bhosale"}], "timeline": [{"time": "2026-02-04T19:57:22.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-17T14:44:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T14:17:08.141760Z", "id": "CVE-2026-1926", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:18:54.734Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1926", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T14:17:08.141760Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:18:47.023Z"}}], "cna": {"title": "Subscriptions for WooCommerce <= 1.9.2 - Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation", "credits": [{"lang": "en", "type": "finder", "value": "shrikant bhosale"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpswings", "product": "Subscriptions for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.9.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-04T19:57:22.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-17T14:44:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eabfdf29-eca9-4e4b-b809-23a83f5a91ac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/tags/1.9.0/admin/class-subscriptions-for-woocommerce-admin.php#L831"}, {"url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/trunk/admin/class-subscriptions-for-woocommerce-admin.php#L831"}, {"url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/tags/1.9.0/includes/class-subscriptions-for-woocommerce.php#L248"}, {"url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/trunk/includes/class-subscriptions-for-woocommerce.php#L248"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3470887%40subscriptions-for-woocommerce%2Ftrunk&old=3449291%40subscriptions-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wps_sfw_admin_cancel_susbcription()` function in all versions up to, and including, 1.9.2. This is due to the function being hooked to the `init` action without any authentication or authorization checks, and only performing a non-empty check on the nonce parameter without actually validating it via `wp_verify_nonce()`. This makes it possible for unauthenticated attackers to cancel any active WooCommerce subscription by sending a crafted GET request with an arbitrary nonce value via the `wps_subscription_id` parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:05.407Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1926", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:05.407Z", "dateReserved": "2026-02-04T19:42:00.982Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-18T03:37:14.702Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wps_sfw_admin_cancel_susbcription()` function in all versions up to, and including, 1.9.2. This is due to the function being hooked to the `init` action without any authentication or authorization checks, and only performing a non-empty check on the nonce parameter without actually validating it via `wp_verify_nonce()`. This makes it possible for unauthenticated attackers to cancel any active WooCommerce subscription by sending a crafted GET request with an arbitrary nonce value via the `wps_subscription_id` parameter."}, {"lang": "es", "value": "El plugin Subscriptions for WooCommerce para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n `wps_sfw_admin_cancel_susbcription()` en todas las versiones hasta la 1.9.2, inclusive. Esto se debe a que la funci\u00f3n est\u00e1 enganchada a la acci\u00f3n `init` sin ninguna verificaci\u00f3n de autenticaci\u00f3n o autorizaci\u00f3n, y solo realiza una verificaci\u00f3n de no-vac\u00edo en el par\u00e1metro nonce sin validarlo realmente a trav\u00e9s de `wp_verify_nonce()`. Esto hace posible que atacantes no autenticados cancelen cualquier suscripci\u00f3n activa de WooCommerce enviando una solicitud GET manipulada con un valor nonce arbitrario a trav\u00e9s del par\u00e1metro `wps_subscription_id`."}], "id": "CVE-2026-1926", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-18T04:17:14.887", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/tags/1.9.0/admin/class-subscriptions-for-woocommerce-admin.php#L831"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/tags/1.9.0/includes/class-subscriptions-for-woocommerce.php#L248"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/trunk/admin/class-subscriptions-for-woocommerce-admin.php#L831"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/trunk/includes/class-subscriptions-for-woocommerce.php#L248"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3470887%40subscriptions-for-woocommerce%2Ftrunk&old=3449291%40subscriptions-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eabfdf29-eca9-4e4b-b809-23a83f5a91ac?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Subscriptions for WooCommerce", "source": "cna", "vendor": "wpswings"}, "product": "subscriptions_for_woocommerce", "vendor": "wpswings"}], "analysis": {"en": {"generated_at": "2026-03-18T05:50:21.621564+00:00", "value": {"mitigation_remediation": ["Update the Subscriptions for WooCommerce plugin to the latest release; verify that the vendor\u2019s website provides an update that fixes the vulnerability.", "Ensure the update is properly applied by confirming that subscription cancellations now require valid user credentials and proper nonce verification.", "If an immediate update is not possible, block or sanitize GET requests that target the wps_sfw_admin_cancel_susbcription() action, or manually add a capability check to the function to prevent unauthenticated access.", "Monitor WooCommerce logs for unexpected subscription cancellation activity to detect potential exploitation attempts.", "Implement or update web application firewall rules to reject crafted cancel requests containing unverified nonce parameters."], "summary": {"action": "Update Plugin", "impact": "Unrestricted Cancellation of Subscriptions"}, "threat_synthesis": {"affected_systems": "The vendor is wpswings and the affected product is Subscriptions for WooCommerce. All releases up to and including version 1.9.2 are vulnerable. No other versions are known to be impacted.", "description_and_impact": "The Subscriptions for WooCommerce plugin contains a missing capability check in the wps_sfw_admin_cancel_susbcription() function. The function is hooked to the WordPress init action without any authentication or authorization checks, and it only verifies that a nonce parameter is not empty, without calling wp_verify_nonce(). Because of this flaw, an unauthenticated attacker can cancel any active WooCommerce subscription by sending a crafted GET request that includes a non\u2011verified nonce value via the wps_subscription_id parameter. The vulnerability represents a missing authorization flaw (CWE-862) and results in the unauthorized modification of subscription status.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires no credentials; the attacker only needs to construct a GET request to the plugin\u2019s cancellation endpoint with an arbitrary, non\u2011verified nonce. The lack of authentication barriers makes the attack straightforward and increases the risk of unauthorized subscription cancellation."}}}}, "created": "2026-03-18T10:41:52.500597+00:00", "updated": "2026-03-24T10:59:21.661323+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpswings", "wpswings$PRODUCT$subscriptions_for_woocommerce"]}