CVE-2026-3453
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2Tags
Description
The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims.
Analysis
Authenticated users can terminate arbitrary subscriptions in WordPress ProfilePress plugin versions up to 4.16.11 through an IDOR vulnerability in the checkout process that lacks ownership validation on subscription IDs. Any subscriber-level user can exploit the change_plan_sub_id parameter to cancel or expire other users' active subscriptions, immediately revoking their paid access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all ProfilePress installations and document affected versions; disable the plugin if not business-critical or restrict access to trusted users only. Within 7 days: Monitor AJAX logs for suspicious ppress_process_checkout requests; implement Web Application Firewall rules to block unauthorized subscription parameter manipulation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today