CVE-2026-1926
Unauthorized Subscription Cancellation in WooCommerce Plugin via Missing Capability Check
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | subscriptions_for_woocommerce | to 1.9.2 (inc) |
| wp_swings | subscriptions_for_woocommerce | 1.9.2 |
| wp_swings | subscriptions_for_woocommerce | 1.9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Subscriptions for WooCommerce plugin for WordPress, specifically in all versions up to and including 1.9.2. It is caused by a missing capability check in the function `wps_sfw_admin_cancel_susbcription()`. This function is hooked to the WordPress `init` action but lacks proper authentication and authorization checks.
Additionally, the function only checks if a nonce parameter is non-empty but does not properly validate it using the `wp_verify_nonce()` function. Because of this, an unauthenticated attacker can send a specially crafted GET request with an arbitrary nonce value and a `wps_subscription_id` parameter to cancel any active WooCommerce subscription without permission.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to cancel active WooCommerce subscriptions arbitrarily. The impact is an unauthorized modification of subscription data, specifically the cancellation of subscriptions without the consent or knowledge of the subscription owner or site administrator.
Such unauthorized cancellations can lead to loss of revenue, disruption of service for legitimate customers, and potential customer dissatisfaction or trust issues.
The CVSS v3.1 base score of 5.3 indicates a medium severity, with the attack vector being network-based, requiring no privileges or user interaction, and impacting the integrity of the subscription data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized GET requests targeting the WooCommerce subscription cancellation endpoint that include the parameter `wps_subscription_id` with arbitrary nonce values. Since the vulnerability involves unauthenticated cancellation requests sent via crafted GET requests, network or web server logs can be inspected for suspicious requests to the plugin's subscription cancellation functionality.
Specifically, detection can focus on identifying HTTP GET requests that invoke the `wps_sfw_admin_cancel_susbcription()` function without proper authentication or valid nonce verification.
Suggested commands for detection include:
- Using web server access logs (e.g., Apache or Nginx) to search for suspicious GET requests containing the `wps_subscription_id` parameter:
- grep -i 'wps_subscription_id' /var/log/apache2/access.log
- grep -i 'wps_subscription_id' /var/log/nginx/access.log
- Using network traffic capture tools like tcpdump or Wireshark to filter HTTP GET requests with the `wps_subscription_id` parameter.
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'wps_subscription_id'
Additionally, reviewing WordPress logs or plugin-specific logs (if enabled) for unexpected subscription cancellations without valid user authentication may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should:
- Update the Subscriptions for WooCommerce plugin to a version later than 1.9.2 where the vulnerability is fixed, as the issue exists in all versions up to and including 1.9.2.
- If an immediate update is not possible, apply temporary access controls such as restricting access to the subscription cancellation functionality by IP address or requiring authentication at the web server or application level.
- Implement Web Application Firewall (WAF) rules to block or monitor requests containing the `wps_subscription_id` parameter in GET requests that are unauthenticated or suspicious.
- Disable or remove the vulnerable plugin if it is not essential to your siteβs operation until a patched version is applied.
Longer term, ensure that all plugin functions performing sensitive actions include proper capability checks and nonce verification using `wp_verify_nonce()` to prevent unauthorized access.