{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4949", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-27T06:15:12.658Z", "datePublished": "2026-04-15T22:26:05.515Z", "dateUpdated": "2026-04-15T22:26:05.515Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T22:26:05.515Z"}, "affected": [{"vendor": "properfraction", "product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.16.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided. This makes it possible for authenticated attackers, with Subscriber-level access and above, to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request."}], "title": "ProfilePress <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4cc29d32-2727-42df-bd42-2caf0f182c0e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Membership/Controllers/CheckoutController.php#L223"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Membership/Controllers/CheckoutController.php#L239"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Membership/Models/Subscription/SubscriptionEntity.php#L461"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Admin/SettingsPages/Membership/PlansPage/SettingsPage.php#L107"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Admin/SettingsPages/Membership/views/add-edit-plan.php#L24"}, {"url": "https://plugins.trac.wordpress.org/changeset/3497425/wp-user-avatar#file14"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-03-27T06:31:33.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T09:44:30.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided. This makes it possible for authenticated attackers, with Subscriber-level access and above, to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request."}], "id": "CVE-2026-4949", "lastModified": "2026-04-15T23:16:10.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T23:16:10.383", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Admin/SettingsPages/Membership/PlansPage/SettingsPage.php#L107"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Admin/SettingsPages/Membership/views/add-edit-plan.php#L24"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Membership/Controllers/CheckoutController.php#L223"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Membership/Controllers/CheckoutController.php#L239"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.10/src/Membership/Models/Subscription/SubscriptionEntity.php#L461"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3497425/wp-user-avatar#file14"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4cc29d32-2727-42df-bd42-2caf0f182c0e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.16.12]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress", "source": "cna", "vendor": "properfraction"}, "product": "paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_\u2013_profilepress", "vendor": "properfraction"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T09:05:00.620043+00:00", "value": {"mitigation_remediation": ["Upgrade ProfilePress to a patched version (if available).", "If an upgrade cannot be performed, modify the plugin code or apply a custom filter to reject checkout requests containing a change_plan_sub_id value when the target plan is inactive, effectively restoring the missing authorization check.", "Review all existing membership plans to ensure that no active subscriptions are linked to plans marked inactive and adjust the plan status if necessary."], "summary": {"action": "Apply Update", "impact": "Unauthorized subscription creation to inactive membership plans by authenticated users"}, "threat_synthesis": {"affected_systems": "All releases of the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin up to and including version 4.16.12 are affected. WordPress sites that have installed any of those versions are vulnerable. The CVE model does not identify a version that contains the authorization fix.", "description_and_impact": "The ProfilePress plugin for WordPress has a missing authorization check in its process_checkout method. When an authenticated user supplies an arbitrary change_plan_sub_id value in the checkout request, the plugin does not verify that the selected plan is active before creating the subscription. This flaw allows a Subscriber or higher level user to enroll in a membership plan that is marked inactive, potentially gaining access to privileges or triggering unintended billing for content that should not be available. This is a CWE-862: Missing Authorization.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate severity. The vulnerability requires authenticated access at the Subscriber level or higher, reducing the likelihood of widespread exploitation. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. The attacker can exploit the vulnerability by sending a crafted checkout request to the plugin's endpoint with a change_plan_sub_id parameter after authenticating with a genuine account, creating a subscription to an inactive plan immediately."}}}}, "created": "2026-04-16T00:00:13.938052+00:00", "updated": "2026-04-16T09:15:30.978814+00:00", "vendors": ["properfraction", "properfraction$PRODUCT$paid_membership_plugin,_ecommerce,_user_registration_form,_login_form,_user_profile_&_restrict_content_\u2013_profilepress", "wordpress", "wordpress$PRODUCT$wordpress"]}