Impact Analysis

An attacker can cancel other users' active subscriptions, including those on lifetime plans, which may result in the removal of their WordPress roles.

If a payment gateway is connected, cancellations can propagate to the gateway, making the impact difficult to reverse.

Because subscription IDs are sequential integers, an attacker can easily enumerate and cancel all active subscriptions on the site, potentially causing widespread disruption.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-10820 is an Insecure Direct Object Reference (IDOR) vulnerability in the ProfilePress WordPress plugin versions prior to 4.16.17. It occurs because the plugin does not verify that the user performing a subscription action actually owns the targeted subscription.

This flaw allows any authenticated user with Subscriber-level access or higher to cancel other users' active subscriptions by exploiting the lack of ownership verification.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability involves an Insecure Direct Object Reference (IDOR) that allows authenticated users to cancel other users' active subscriptions by exploiting sequential subscription IDs.

Detection can focus on monitoring cancellation requests for subscriptions that do not belong to the authenticated user, especially those with sequential subscription IDs.

Since the vulnerability exploits subscription cancellation requests, network or application logs can be inspected for unusual cancellation activity initiated by Subscriber-level users.

Specific commands are not provided in the resources, but administrators can use web server or application logs to search for suspicious POST requests to subscription cancellation endpoints with subscription IDs that do not match the authenticated user.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to update the ProfilePress plugin to version 4.16.17 or later, where the vulnerability has been fixed.

Until the update is applied, restrict Subscriber-level users from performing subscription cancellation actions if possible.

Monitor subscription cancellation activities closely to detect and respond to any unauthorized cancellations.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user to cancel other users' active subscriptions without verifying ownership, which can lead to unauthorized access and manipulation of user subscription data.

Such unauthorized actions could potentially violate data protection principles found in regulations like GDPR and HIPAA, which require proper access controls and protection of user data to prevent unauthorized modification or deletion.

Specifically, the ability to cancel subscriptions and remove WordPress roles without proper authorization may result in breaches of confidentiality and integrity of user data, impacting compliance with these standards.

Useful 0 Not Useful 0