WordPress Plugin Vulnerabilities

ProfilePress < 4.16.17 - Subscriber+ Subscription Cancellation via IDOR

Description

The plugin does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.
On lifetime plans the victim's WordPress role is additionally removed, and where a payment gateway is connected the cancellation is propagated to it, making the impact difficult to reverse. Subscription IDs are sequential integers, so an attacker can enumerate and cancel every active subscription on the site.

Proof of Concept

Affects Plugins

Plugin icon
wp-user-avatar
Fixed in 4.16.17

References

CVE
CVE-2026-10820
URL
https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/MyAccount/MyAccountTag.php#L247
URL
https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Themes/Starter/AbstractTheme/view-subscription.tmpl.php#L98
URL
https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Membership/Models/Subscription/SubscriptionEntity.php#L625

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Haitam Lazaar
Submitter
Haitam Lazaar
Submitter website
https://www.linkedin.com/in/haitam-lazaar/
Verified
Yes
WPVDB ID
cb7ad514-e0d5-4ff3-803a-918cdc194f39

Timeline

Publicly Published
2026-06-06 (about 21 days ago)
Added
2026-06-06 (about 20 days ago)
Last Updated
2026-06-25 (about 1 day ago)

Other

Published
Title
Published
2025-11-10
Title
Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation
Published
2025-09-18
Title
Service Finder Bookings <= 6.0 - Unauthenticated Privilege Escalation via claim_business
Published
2026-01-02
Title
Roam <= 2.1.1 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-11-24
Title
Wishlist for WooCommerce < 1.1.4 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation
Published
2026-04-07
Title
Awesome Support < 6.3.8 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter