CVE-2026-4949
Missing Authorization in ProfilePress Plugin Enables Unauthorized Plan Subscription
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_brain | profilepress | to 4.16.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress plugin for WordPress, in all versions up to and including 4.16.12.
It is caused by the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided.
This flaw allows authenticated attackers with Subscriber-level access or higher to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level authenticated access to bypass restrictions on membership plans by subscribing to inactive plans.
As a result, unauthorized users may gain access to content or services that should be restricted, potentially leading to loss of revenue or unauthorized use of resources.
The CVSS score of 4.3 indicates a low to medium severity impact, primarily affecting integrity but not confidentiality or availability.