ProfilePress patches membership payment bypass via checkout authorization flaw

TL;DR — An authorization bug in ProfilePress checkout lets low-privilege users bypass payment by referencing other users’ subscriptions to manipulate proration and gain paid membership benefits.

What happened

ProfilePress is a WordPress plugin that provides membership/subscription features and ecommerce-style checkout flows (including paid plans and user registration).

CVE-2026-3445 describes a missing authorization / ownership verification issue in the plugin’s checkout logic: the change_plan_sub_id parameter is not properly ownership-checked in the process_checkout() function. As described in the CVE record, an authenticated attacker with subscriber-level access or higher can reference another user’s active subscription during checkout to manipulate proration calculations and obtain paid lifetime membership plans without payment via the ppress_process_checkout AJAX action.

This is scored CVSS v3.1 7.1 (High). While not a classic RCE, this is operationally high-impact for membership businesses: it directly breaks revenue controls and highlights a recurring appsec failure mode in plugins—server-side authorization gaps on user-controlled object identifiers in billing/entitlement paths.

Who is impacted

• WordPress sites running Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress versions <= 4.16.11.
• Sites that allow user self-registration (enabling an attacker to obtain subscriber-level access) and sell paid plans where proration/plan-change logic is enabled.
• Environments where membership state (e.g., “lifetime”) unlocks high-value content, downloads, community/admin workflows, or integrations.

What to do now

• Follow vendor remediation guidance and apply a patched release.

  • "Remediation Update to version 4.16.12, or a newer patched version"

• Treat this as an entitlement integrity incident class: review whether any users have unexpected plan transitions (especially to “lifetime” or high-tier plans) that do not correspond to successful payments.
• Add/verify server-side authorization on subscription and plan-change identifiers in any custom checkout/membership extensions (do not trust client-provided subscription IDs like change_plan_sub_id).
• If compromise is suspected, review request logs for suspicious usage of ppress_process_checkout (e.g., repeated checkout attempts or anomalous change_plan_sub_id values) and reconcile payment processor records with membership state.