CVE-2026-3453

Name of the Vulnerable Software and Affected Versions ProfilePress versions prior to 4.16.11

Description The ProfilePress plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is a result of a lack of ownership validation on the change plan sub id parameter within the process checkout() function. The ppress process checkout AJAX handler accepts a user-controlled subscription ID for plan upgrades, loads the subscription record, and cancels or expires it without verifying the subscription belongs to the requesting user. This allows authenticated attackers with Subscriber-level access or higher to cancel and expire any other user's active subscription using the change plan sub id parameter during checkout, resulting in immediate loss of paid access for victims.

Recommendations Update ProfilePress to version 4.16.11 or later.