{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3453", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-02T17:56:22.573Z", "datePublished": "2026-03-11T02:22:46.456Z", "dateUpdated": "2026-04-08T17:01:14.561Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:14.561Z"}, "affected": [{"vendor": "properfraction", "product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.16.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims."}], "title": "ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74e4808f-bd6f-4e62-91cb-31c86a427498?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L237"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L334"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L342"}, {"url": "https://plugins.trac.wordpress.org/changeset/3474509/wp-user-avatar/trunk/src/Membership/Controllers/CheckoutController.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supanat Konprom"}], "timeline": [{"time": "2026-03-02T18:11:34.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-10T14:08:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3453", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:38:16.449248Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:47.219Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3453", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:38:16.449248Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:35.972Z"}}], "cna": {"title": "ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration", "credits": [{"lang": "en", "type": "finder", "value": "Supanat Konprom"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "properfraction", "product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.16.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-02T18:11:34.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-10T14:08:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74e4808f-bd6f-4e62-91cb-31c86a427498?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L237"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L334"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L342"}, {"url": "https://plugins.trac.wordpress.org/changeset/3474509/wp-user-avatar/trunk/src/Membership/Controllers/CheckoutController.php"}], "descriptions": [{"lang": "en", "value": "The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:14.561Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3453", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:01:14.561Z", "dateReserved": "2026-03-02T17:56:22.573Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-11T02:22:46.456Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims."}, {"lang": "es", "value": "El plugin ProfilePress para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 4.16.11, inclusive. Esto se debe a la falta de validaci\u00f3n de propiedad en el par\u00e1metro change_plan_sub_id en la funci\u00f3n process_checkout(). El gestor AJAX ppress_process_checkout acepta un ID de suscripci\u00f3n controlado por el usuario destinado a actualizaciones de plan, carga el registro de suscripci\u00f3n y lo cancela/expira sin verificar que la suscripci\u00f3n pertenezca al usuario solicitante. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, cancelen y expiren la suscripci\u00f3n activa de cualquier otro usuario a trav\u00e9s del par\u00e1metro change_plan_sub_id durante el proceso de pago, causando la p\u00e9rdida inmediata del acceso de pago para las v\u00edctimas."}], "id": "CVE-2026-3453", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-11T03:15:56.227", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L237"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L334"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L342"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3474509/wp-user-avatar/trunk/src/Membership/Controllers/CheckoutController.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74e4808f-bd6f-4e62-91cb-31c86a427498?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress", "source": "cna", "vendor": "properfraction"}, "product": "paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_\u2013_profilepress", "vendor": "properfraction"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T17:52:54.586508+00:00", "value": {"mitigation_remediation": ["Upgrade ProfilePress to a version newer than 4.16.11.", "If an immediate upgrade is not possible, restrict the change_plan_sub_id capability for Subscriber+ users by adjusting role permissions or adding custom code to enforce ownership checks.", "Audit subscription cancellation logs for abnormal activity to detect potential abuse."], "summary": {"action": "Patch", "impact": "Unauthorized Subscription Cancellation"}, "threat_synthesis": {"affected_systems": "The flaw affects all releases of the ProfilePress Paid Membership Plugin up to and including version 4.16.11, provided by the vendor properfraction. The plugin delivers ecommerce, user registration, login, profile, and restricted content functionality and is used within WordPress installations.", "description_and_impact": "The vulnerability stems from an insecure direct object reference in the ProfilePress plugin, whereby the AJAX handler for process_checkout() accepts a user-provided subscription ID via the change_plan_sub_id parameter. Key detail from the CVE description: the handler loads the subscription record and cancels or expires it without verifying that the subscription belongs to the requesting user. This flaw enables an authenticated user with Subscriber level or higher privileges to terminate or expire any other user's active subscription, resulting in immediate loss of paid access to the victim.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low exploitation probability. The issue is not listed in CISA\u2019s KEV catalog. Attack requires an authenticated WordPress user with Subscriber or higher privileges and involves manipulating the change_plan_sub_id input during the checkout process. While the attack vector is contained to authenticated accounts, the impact is significant\u2014any user\u2019s subscription can be revoked, essentially causing a denial of service to the affected subscriber."}}}}, "created": "2026-03-12T10:06:29.038611+00:00", "updated": "2026-03-20T14:38:03.642538+00:00", "vendors": ["properfraction", "properfraction$PRODUCT$paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_\u2013_profilepress", "wordpress", "wordpress$PRODUCT$wordpress"]}