CVE-2026-3453
Published: 11 March 2026
Summary
CVE-2026-3453 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the change_plan_sub_id parameter to prevent authenticated users from canceling or expiring subscriptions belonging to other users.
Validates the user-controlled subscription ID input in the ppress_process_checkout AJAX handler to confirm ownership by the requesting user before processing.
Provides for timely identification, reporting, and remediation of the specific IDOR flaw in ProfilePress versions up to 4.16.11 by patching to 4.16.12 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing WordPress plugin directly enables T1190 exploitation; resulting unauthorized subscription cancellation facilitates T1531 account access removal via loss of paid access.
NVD Description
The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts…
more
a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims.
Deeper analysisAI
CVE-2026-3453 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the ProfilePress plugin for WordPress in all versions up to and including 4.16.11. The issue stems from missing ownership validation on the user-controlled change_plan_sub_id parameter within the process_checkout() function. Specifically, the ppress_process_checkout AJAX handler loads a subscription record based on this parameter, intended for plan upgrades, and cancels or expires it without confirming that the subscription belongs to the requesting user.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying any other user's active subscription ID via the change_plan_sub_id parameter during checkout, attackers can immediately cancel and expire the victim's subscription, resulting in loss of paid access. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), reflecting high impact on integrity and availability.
Mitigation details are outlined in advisories from Wordfence and code references in the WordPress plugin trac repository. The patch is implemented in changeset 3474509, which modifies the CheckoutController.php file (notably around lines 237, 334, and 342 in version 4.16.9) to add proper ownership checks. Security practitioners should update to ProfilePress version 4.16.12 or later and review access controls on AJAX handlers handling user-specific resources.
Details
- CWE(s)