CVE-2026-3445
Authorization Bypass in ProfilePress Plugin Allows Free Memberships
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| profilepress | paid_membership_plugin | to 4.16.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3445 is a security vulnerability in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress plugin for WordPress, affecting all versions up to and including 4.16.11.
The issue arises because the plugin does not properly verify ownership of the subscription when processing membership plan changes via the `change_plan_sub_id` parameter in the `process_checkout()` function.
This flaw allows authenticated users with subscriber-level access or higher to reference and manipulate another user's active subscription during checkout, specifically affecting proration calculations.
As a result, attackers can bypass payment and obtain paid lifetime membership plans without actually paying, by exploiting the `ppress_process_checkout` AJAX action.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized privilege escalation where an attacker with subscriber-level access can obtain paid membership plans without payment.
The attacker can manipulate subscription proration calculations by referencing other users' active subscriptions, effectively bypassing payment requirements.
This can result in financial loss for the site owner due to unpaid access to premium membership features or content.
Additionally, it undermines the integrity of the membership system and could lead to further abuse or exploitation of subscription-based services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized membership payment bypass due to missing ownership verification on the `change_plan_sub_id` parameter in the `process_checkout()` function of the ProfilePress plugin for WordPress.
To detect exploitation attempts on your system or network, you should monitor for unusual AJAX requests to the `ppress_process_checkout` action, especially those where a subscriber-level user attempts to reference or manipulate another user's subscription ID.
Since the vulnerability is exploited via authenticated users sending crafted requests, you can check your web server or application logs for suspicious POST requests to endpoints handling checkout or subscription changes.
- Review web server logs (e.g., Apache or Nginx) for POST requests to `admin-ajax.php` with the action parameter `ppress_process_checkout`.
- Use commands like `grep 'ppress_process_checkout' /path/to/access.log` to filter relevant requests.
- Look for requests where the `change_plan_sub_id` parameter is set to subscription IDs that do not belong to the authenticated user.
- If you have access to the database, query the subscriptions table to verify ownership consistency between users and their subscriptions.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the ProfilePress plugin to version 4.16.12 or later, where the vulnerability has been fixed by enforcing strict ownership verification on subscription plan changes.
The fix includes verifying that the subscription being changed belongs to the authenticated user and throwing an exception if it does not, preventing unauthorized plan switching.
If immediate update is not possible, consider temporarily restricting subscriber-level users from accessing checkout or subscription upgrade functionality.
Additionally, monitor logs for suspicious activity as described above and consider implementing web application firewall (WAF) rules to block unauthorized AJAX requests attempting to manipulate subscription IDs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to bypass payment and obtain paid lifetime membership plans without authorization by manipulating subscription ownership verification.
This unauthorized access and manipulation of subscription data could lead to improper handling of user payment information and membership status, potentially violating principles of data integrity and access control required by standards such as GDPR and HIPAA.
However, the provided context does not explicitly state the direct impact on compliance with these regulations.