WordPress Plugin Vulnerabilities

ProfilePress < 4.16.13 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription

Description

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided. This makes it possible for authenticated attackers, with Subscriber-level access and above, to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request.

Affects Plugins

Plugin icon
wp-user-avatar
Fixed in 4.16.13

References

CVE
CVE-2026-4949
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4cc29d32-2727-42df-bd42-2caf0f182c0e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Supakiad S. (m3ez)
Verified
No
WPVDB ID
19c161a2-1b9c-4e1d-8358-e4f1f4690fc1

Timeline

Publicly Published
2026-04-15 (about 28 days ago)
Added
2026-04-15 (about 28 days ago)
Last Updated
2026-04-15 (about 28 days ago)

Other

Published
Title
Published
2026-01-25
Title
Share This Image < 2.10 - Missing Authorization
Published
2024-02-26
Title
Thank You Page Customizer for WooCommerce – Increase Your Sales < 1.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2022-09-20
Title
Import all XML, CSV & TXT into WordPress < 6.5.8 - Missing Authorisation
Published
2024-02-29
Title
Wp Social Login and Register Social Counter < 3.0.1 - Missing Authorization to Unauthenticated Social Login/Share Status Update
Published
2025-03-17
Title
Logo Slider < 3.7.4 - Unauthenticated Arbitrary Shortcode Execution