CVE-2026-3445

Name of the Vulnerable Software and Affected Versions ProfilePress versions prior to 4.16.12

Description The ProfilePress plugin for WordPress is susceptible to unauthorized membership payment bypass due to a missing ownership verification on the change plan sub id parameter within the process checkout() function. Authenticated attackers with subscriber-level access or higher can manipulate proration calculations by referencing another user's active subscription during checkout via the ppress process checkout AJAX action, potentially obtaining paid lifetime membership plans without payment.

Recommendations Update ProfilePress to version 4.16.12 or later.