CVE-2026-3453 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 11, 2026
ProfilePress WordPress Plugin - Broken Access Control
Overview
ProfilePress WordPress plugin <= 4.16.11 contains an insecure direct object reference caused by missing ownership validation on change_plan_sub_id in process_checkout(), letting authenticated subscribers cancel others' subscriptions.
Severity & Score
Impact
Authenticated attackers can cancel other users' active subscriptions, causing immediate loss of paid access.
Mitigation
Update to the latest version beyond 4.16.11.
References
- https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L237
- https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L334
- https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.9/src/Membership/Controllers/CheckoutController.php#L342
- https://plugins.trac.wordpress.org/changeset/3474509/wp-user-avatar/trunk/src/Membership/Controllers/CheckoutController.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/74e4808f-bd6f-4e62-91cb-31c86a427498?source=cve
Social Media Activity(1 post)
š CVE-2026-3453 - High (8.1) The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() functi... š https://www.thehackerwire.com/vulnerability/CVE-2026-3453/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-3453
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_access_control
- Status
- unconfirmed
- EPSS
- 4.1%
- Social Posts
- 1
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H