Overview
A high-severity unauthorized membership payment bypass vulnerability has been identified in the ProfilePress plugin for WordPress — a widely used all-in-one solution for user registration, login, profiles, and paid membership management. Designated CVE-2026-3445, the flaw has a CVSS base score of 7.1 and is present in all plugin versions up to and including 4.16.11.
The vulnerability allows attackers to circumvent the plugin's payment verification logic and gain unauthorized access to paid membership tiers and restricted content without completing a valid transaction.
Technical Details
The root cause is a missing ownership verification step within the membership processing flow. Specifically, the plugin fails to properly confirm that the user initiating a membership state change is the rightful owner of the associated subscription or order record before applying the access grant.
This allows an attacker to:
- Initiate or reference an existing membership/order object belonging to another user or a fraudulent payment object
- Trigger the activation or renewal endpoint with the target object's identifier
- Have the plugin elevate their own account to the corresponding membership tier without a completed payment
Because the check is absent rather than merely weak, it cannot be bypassed through rate limiting or brute-force mitigations—standard authenticated requests are sufficient.
Impact
| Attribute | Value |
|---|---|
| CVSS Score | 7.1 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (authenticated) |
| Confidentiality Impact | High |
| Integrity Impact | High |
An attacker exploiting this flaw could:
- Access paid content for free — unlock premium articles, courses, downloads, or community areas protected by ProfilePress membership tiers
- Escalate membership levels — move from a free or lower-tier account to a premium or enterprise tier without payment
- Impersonate subscription states — disrupt billing records, affecting revenue reporting and legitimate user management
- Chained exploitation — use elevated membership access to reach functionality that enables further privilege escalation within the WordPress installation
Sites monetizing content—online courses, news paywalls, community platforms, SaaS products built on WordPress—face the highest risk.
Affected Versions
- ProfilePress (Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content): all versions ≤ 4.16.11
Remediation
- Update ProfilePress immediately to the latest version past 4.16.11 once a patched release is published.
- Audit existing memberships for anomalous activations—accounts that gained premium access without corresponding payment records.
- Restrict registration endpoints at the server or WAF level to add a layer of validation while awaiting a plugin patch.
- Enable two-factor authentication on WordPress admin accounts to reduce attack surface for chained escalation scenarios.
- Review payment webhook logs and flag any membership activations not correlated with a completed Stripe, PayPal, or gateway event.