CVE-2026-3445
Received Received - Intake
Authorization Bypass in ProfilePress Plugin Allows Free Memberships

Publication date: 2026-04-04

Last updated on: 2026-04-04

Assigner: Wordfence

Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to unauthorized membership payment bypass in all versions up to, and including, 4.16.11. This is due to a missing ownership verification on the `change_plan_sub_id` parameter in the `process_checkout()` function. This makes it possible for authenticated attackers, with subscriber level access and above, to reference another user's active subscription during checkout to manipulate proration calculations, allowing them to obtain paid lifetime membership plans without payment via the `ppress_process_checkout` AJAX action.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-04
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3445
EUVD
EUVD-2026-18987
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
profilepress paid_membership_plugin to 4.16.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3445 is a security vulnerability in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress, affecting all versions up to and including 4.16.11.

The issue arises because the plugin does not properly verify ownership of the subscription when processing membership plan changes via the `change_plan_sub_id` parameter in the `process_checkout()` function.

This flaw allows authenticated users with subscriber-level access or higher to reference and manipulate another user's active subscription during checkout, specifically affecting proration calculations.

As a result, attackers can bypass payment and obtain paid lifetime membership plans without actually paying, by exploiting the `ppress_process_checkout` AJAX action.

Impact Analysis

This vulnerability can lead to unauthorized privilege escalation where an attacker with subscriber-level access can obtain paid membership plans without payment.

The attacker can manipulate subscription proration calculations by referencing other users' active subscriptions, effectively bypassing payment requirements.

This can result in financial loss for the site owner due to unpaid access to premium membership features or content.

Additionally, it undermines the integrity of the membership system and could lead to further abuse or exploitation of subscription-based services.

Detection Guidance

This vulnerability involves unauthorized membership payment bypass due to missing ownership verification on the `change_plan_sub_id` parameter in the `process_checkout()` function of the ProfilePress plugin for WordPress.

To detect exploitation attempts on your system or network, you should monitor for unusual AJAX requests to the `ppress_process_checkout` action, especially those where a subscriber-level user attempts to reference or manipulate another user's subscription ID.

Since the vulnerability is exploited via authenticated users sending crafted requests, you can check your web server or application logs for suspicious POST requests to endpoints handling checkout or subscription changes.

  • Review web server logs (e.g., Apache or Nginx) for POST requests to `admin-ajax.php` with the action parameter `ppress_process_checkout`.
  • Use commands like `grep 'ppress_process_checkout' /path/to/access.log` to filter relevant requests.
  • Look for requests where the `change_plan_sub_id` parameter is set to subscription IDs that do not belong to the authenticated user.
  • If you have access to the database, query the subscriptions table to verify ownership consistency between users and their subscriptions.
Mitigation Strategies

The primary mitigation step is to update the ProfilePress plugin to version 4.16.12 or later, where the vulnerability has been fixed by enforcing strict ownership verification on subscription plan changes.

The fix includes verifying that the subscription being changed belongs to the authenticated user and throwing an exception if it does not, preventing unauthorized plan switching.

If immediate update is not possible, consider temporarily restricting subscriber-level users from accessing checkout or subscription upgrade functionality.

Additionally, monitor logs for suspicious activity as described above and consider implementing web application firewall (WAF) rules to block unauthorized AJAX requests attempting to manipulate subscription IDs.

Compliance Impact

The vulnerability allows authenticated users to bypass payment and obtain paid lifetime membership plans without authorization by manipulating subscription ownership verification.

This unauthorized access and manipulation of subscription data could lead to improper handling of user payment information and membership status, potentially violating principles of data integrity and access control required by standards such as GDPR and HIPAA.

However, the provided context does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3445. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart