Cyber Resilience

CVE-2026-3453

High

Published: 11 March 2026

Published
11 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0038 29.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3453 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3453 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the ProfilePress plugin for WordPress in all versions up to and including 4.16.11. The issue stems from missing ownership validation on the user-controlled change_plan_sub_id parameter within the process_checkout() function. Specifically, the ppress_process_checkout AJAX handler loads a subscription record based on this parameter, intended for plan upgrades, and cancels or expires it without confirming that the subscription belongs to the requesting user.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying any other user's active subscription ID via the change_plan_sub_id parameter during checkout, attackers can immediately cancel and expire the victim's subscription, resulting in loss of paid access. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), reflecting high impact on integrity and availability.

Mitigation details are outlined in advisories from Wordfence and code references in the WordPress plugin trac repository. The patch is implemented in changeset 3474509, which modifies the CheckoutController.php file (notably around lines 237, 334, and 342 in version 4.16.9) to add proper ownership checks. Security practitioners should update to ProfilePress version 4.16.12 or later and review access controls on AJAX handlers handling user-specific resources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler accepts…

more

a user-controlled subscription ID intended for plan upgrades, loads the subscription record, and cancels/expires it without verifying the subscription belongs to the requesting user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and expire any other user's active subscription via the change_plan_sub_id parameter during checkout, causing immediate loss of paid access for victims.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Why these techniques?

IDOR in public-facing WordPress plugin directly enables T1190 exploitation; resulting unauthorized subscription cancellation facilitates T1531 account access removal via loss of paid access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41471Shared CWE-639
CVE-2026-2554Shared CWE-639
CVE-2023-36331Shared CWE-639
CVE-2026-33297Shared CWE-639
CVE-2026-41084Shared CWE-639
CVE-2024-50685Shared CWE-639
CVE-2019-25235Shared CWE-639
CVE-2026-28469Shared CWE-639
CVE-2026-33511Shared CWE-639
CVE-2026-40600Shared CWE-639

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on the change_plan_sub_id parameter to prevent authenticated users from canceling or expiring subscriptions belonging to other users.

prevent

Validates the user-controlled subscription ID input in the ppress_process_checkout AJAX handler to confirm ownership by the requesting user before processing.

prevent

Provides for timely identification, reporting, and remediation of the specific IDOR flaw in ProfilePress versions up to 4.16.11 by patching to 4.16.12 or later.

References