WordPress Plugin Vulnerabilities

ProfilePress < 4.16.12 - Subscriber+ Arbitrary Subscription Cancellation/Expiration

Description

The plugin is vulnerable to Insecure Direct Object Reference due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims.

Affects Plugins

Plugin icon
wp-user-avatar
Fixed in 4.16.12

References

CVE
CVE-2026-3453
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/74e4808f-bd6f-4e62-91cb-31c86a427498

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
8.1 (high)

Miscellaneous

Original Researcher
kai63001
Verified
No
WPVDB ID
c107c770-af31-49e0-bae4-86b2f45e1d60

Timeline

Publicly Published
2026-03-10 (about 2 months ago)
Added
2026-03-10 (about 2 months ago)
Last Updated
2026-03-10 (about 2 months ago)

Other

Published
Title
Published
2025-06-23
Title
MDJM Event Management <= 1.7.8.2 - Subscriber+ Privilege Escalation
Published
2024-03-18
Title
Permalink Manager < 2.4.3.2 - Missing Authorization to Authenticated(Author+) arbitrary post slug modification
Published
2025-12-29
Title
Struktur <= 2.5.1 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-07-31
Title
Service Finder Bookings < 6.1 - Authentication Bypass via User Switch Cookie
Published
2020-10-15
Title
Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion