Home

Description

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-27 | Updated 2026-06-27 | Assigner WPScan

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

Any version before 4.16.17
affected

Credits

Haitam Lazaar finder

WPScan coordinator

References

wpscan.com/...rability/cb7ad514-e0d5-4ff3-803a-918cdc194f39/ exploit vdb-entry technical-description

cve.org (CVE-2026-10820)

nvd.nist.gov (CVE-2026-10820)

Download JSON