CVE-2026-3453
IDOR Vulnerability in ProfilePress Plugin Allows Subscription Hijacking
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| profilepress | profilepress | to 4.16.11 (inc) |
| wp_user_avatar | wp_user_avatar | to 4.16.9 (inc) |
| wp_user_avatar | wp_user_avatar | to 4.16.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The ProfilePress plugin for WordPress has a vulnerability called Insecure Direct Object Reference (IDOR) in all versions up to and including 4.16.11. This occurs because the plugin does not properly verify ownership of a subscription when processing a plan change during checkout.
Specifically, the AJAX handler process_checkout() accepts a user-controlled subscription ID parameter (change_plan_sub_id) intended for plan upgrades. However, it fails to check if the subscription actually belongs to the user making the request.
As a result, an authenticated attacker with Subscriber-level access or higher can cancel and expire any other user's active subscription by manipulating this parameter during checkout, causing immediate loss of paid access for the victim.
How can this vulnerability impact me? :
This vulnerability allows an attacker with at least Subscriber-level access to cancel and expire other users' active subscriptions without authorization.
The immediate impact is that victims lose their paid access to services or content tied to their subscriptions.
This can lead to denial of service for legitimate users, potential revenue loss for the service provider, and damage to user trust.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the misuse of the change_plan_sub_id parameter in the AJAX handler process_checkout() of the ProfilePress plugin, allowing authenticated users with Subscriber-level access or above to cancel or expire other users' active subscriptions.
To detect exploitation attempts on your system or network, you can monitor AJAX requests to the process_checkout endpoint that include the change_plan_sub_id parameter.
- Check web server access logs for POST requests to the AJAX handler related to checkout processing that include the change_plan_sub_id parameter.
- Use command-line tools like grep to search for suspicious AJAX requests in your logs, for example: grep -i 'change_plan_sub_id' /path/to/access.log
- Monitor for unexpected subscription cancellations or expirations in your WordPress database or subscription management system.
- Implement logging or alerting on subscription cancellation events that are triggered via AJAX calls to detect unauthorized actions.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in version 4.16.12 of the plugin, where ownership validation was added to ensure that the subscription being changed belongs to the requesting user.
- Immediately update the ProfilePress plugin to version 4.16.12 or later to apply the patch that enforces subscription ownership checks.
- If updating immediately is not possible, restrict access to the AJAX process_checkout endpoint to trusted users only, or disable the plugin temporarily.
- Monitor subscription cancellation and expiration events for suspicious activity and investigate any unauthorized changes.
- Review user roles and permissions to ensure that only trusted users have Subscriber-level access or higher.