WordPress Plugin Vulnerabilities

ProfilePress < 4.16.12 - Subscriber+ Membership Payment Bypass

Description

The plugin is vulnerable to unauthorized membership payment bypass due to a missing ownership verification on the `change_plan_sub_id` parameter in the `process_checkout()` function. This makes it possible for authenticated attackers, with subscriber level access and above, to reference another user's active subscription during checkout to manipulate proration calculations, allowing them to obtain paid lifetime membership plans without payment via the `ppress_process_checkout` AJAX action.

Affects Plugins

Plugin icon
wp-user-avatar
Fixed in 4.16.12

References

CVE
CVE-2026-3445
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ae1e198b-0c0d-47aa-8a56-ec4e790c8022

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Supakiad S. (m3ez)
Verified
No
WPVDB ID
490b3569-6810-4ac7-92a5-b1fca4203cfc

Timeline

Publicly Published
2026-04-03 (about 1 month ago)
Added
2026-04-06 (about 1 month ago)
Last Updated
2026-05-11 (about 2 days ago)

Other

Published
Title
Published
2025-01-24
Title
GoHero Store Customizer for WooCommerce < 4.0 - Missing Authorization to Unuthenticated Settings Update
Published
2025-03-27
Title
Cool Author Box < 3.0.0 - Missing Authorization
Published
2026-01-27
Title
aDirectory < 3.0.4 - Missing Authorization
Published
2025-12-10
Title
Comparimager for Elementor <= 1.0.1 - Missing Authorization
Published
2025-12-31
Title
Watcher for Elementor <= 1.0.9 - Missing Authorization