CVE-2026-3445
Published: 04 April 2026
Summary
CVE-2026-3445 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to subscription resources, directly addressing the missing ownership verification on the `change_plan_sub_id` parameter to prevent unauthorized payment bypass.
Validates the `change_plan_sub_id` information input to ensure it belongs to the authenticated user, blocking manipulation of proration calculations via the `ppress_process_checkout` AJAX action.
Requires timely identification, reporting, and correction of the code flaw in the `process_checkout()` function, mitigating the vulnerability through patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin allows authenticated low-priv users to bypass authorization checks for privilege escalation to paid membership access via exploitation of the checkout process.
NVD Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to unauthorized membership payment bypass in all versions up to, and including, 4.16.11. This is due to a…
more
missing ownership verification on the `change_plan_sub_id` parameter in the `process_checkout()` function. This makes it possible for authenticated attackers, with subscriber level access and above, to reference another user's active subscription during checkout to manipulate proration calculations, allowing them to obtain paid lifetime membership plans without payment via the `ppress_process_checkout` AJAX action.
Deeper analysisAI
CVE-2026-3445 is an unauthorized membership payment bypass vulnerability in the ProfilePress plugin for WordPress, which handles paid memberships, ecommerce, user registration forms, login forms, user profiles, and content restriction. The issue stems from a missing ownership verification on the `change_plan_sub_id` parameter within the `process_checkout()` function, affecting all versions up to and including 4.16.11. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) and is associated with CWE-862 (Missing Authorization).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability by referencing another user's active subscription ID during the checkout process via the `ppress_process_checkout` AJAX action. This manipulation of proration calculations enables attackers to obtain paid lifetime membership plans without making any payment, potentially granting unauthorized access to premium features or content.
Mitigation details are available in advisories from Wordfence and the WordPress plugins trac, including a relevant changeset at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3474509%40wp-user-avatar%2Ftrunk&old=3473639%40wp-user-avatar%2Ftrunk&sfp_email=&sfph_mail=#file3 and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/ae1e198b-0c0d-47aa-8a56-ec4e790c8022?source=cve.
Details
- CWE(s)