CVE-2026-4949
Received Received - Intake

Missing Authorization in ProfilePress Plugin Enables Unauthorized Plan Subscription

Vulnerability report for CVE-2026-4949, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Wordfence

Description

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided. This makes it possible for authenticated attackers, with Subscriber-level access and above, to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-07-06
AI Q&A
2026-04-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_brain profilepress to 4.16.12 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress, in all versions up to and including 4.16.12.

It is caused by the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided.

This flaw allows authenticated attackers with Subscriber-level access or higher to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request.

Impact Analysis

This vulnerability can allow attackers with low-level authenticated access to bypass restrictions on membership plans by subscribing to inactive plans.

As a result, unauthorized users may gain access to content or services that should be restricted, potentially leading to loss of revenue or unauthorized use of resources.

The CVSS score of 4.3 indicates a low to medium severity impact, primarily affecting integrity but not confidentiality or availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4949. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart