CVE-2026-4949
Received Received - Intake
Missing Authorization in ProfilePress Plugin Enables Unauthorized Plan Subscription

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Wordfence

Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided. This makes it possible for authenticated attackers, with Subscriber-level access and above, to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4949
EUVD
EUVD-2026-23125
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_brain profilepress to 4.16.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress, in all versions up to and including 4.16.12.

It is caused by the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided.

This flaw allows authenticated attackers with Subscriber-level access or higher to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request.

Impact Analysis

This vulnerability can allow attackers with low-level authenticated access to bypass restrictions on membership plans by subscribing to inactive plans.

As a result, unauthorized users may gain access to content or services that should be restricted, potentially leading to loss of revenue or unauthorized use of resources.

The CVSS score of 4.3 indicates a low to medium severity impact, primarily affecting integrity but not confidentiality or availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4949. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart