CVE-2026-1926

Name of the Vulnerable Software and Affected Versions Subscriptions for WooCommerce versions up to and including 1.9.2

Description The Subscriptions for WooCommerce plugin for WordPress is susceptible to unauthorized data modification. This is due to a missing capability check within the wps sfw admin cancel susbcription() function. The function is connected to the init action without proper authentication or authorization. It performs a basic check for a nonce parameter but does not validate it using wp verify nonce(). This allows unauthenticated attackers to cancel any active WooCommerce subscription by sending a specially crafted GET request. The request includes an arbitrary nonce value through the wps subscription id parameter. The API endpoint involved is not explicitly mentioned.

Recommendations Versions prior to and including 1.9.2 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the wps sfw admin cancel susbcription() function until a patch is available.