{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/membership/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-3445"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","membership"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe ProfilePress plugin for WordPress, specifically the \u0026ldquo;Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile \u0026amp; Restrict Content\u0026rdquo; version 4.16.11 and earlier, contains a vulnerability (CVE-2026-3445) that allows authenticated attackers to bypass membership payment requirements. This flaw stems from a missing ownership verification on the \u003ccode\u003echange_plan_sub_id\u003c/code\u003e parameter within the \u003ccode\u003eprocess_checkout()\u003c/code\u003e function. An attacker with subscriber-level access can exploit this by referencing another user\u0026rsquo;s active subscription during the checkout process. This manipulation affects proration calculations, ultimately enabling the attacker to obtain paid lifetime membership plans without submitting legitimate payment. This vulnerability is triggered via the \u003ccode\u003eppress_process_checkout\u003c/code\u003e AJAX action, making it critical for defenders to implement appropriate detection and mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers a new account on the WordPress site with the vulnerable ProfilePress plugin installed, obtaining subscriber-level access.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid, active subscription ID belonging to another user within the ProfilePress system.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the purchase of a paid membership plan (e.g., a lifetime membership).\u003c/li\u003e\n\u003cli\u003eDuring the checkout process, the attacker intercepts the HTTP request sent to the \u003ccode\u003eppress_process_checkout\u003c/code\u003e AJAX action.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003echange_plan_sub_id\u003c/code\u003e parameter within the request, replacing the expected value with the subscription ID of the other user.\u003c/li\u003e\n\u003cli\u003eThe server-side \u003ccode\u003eprocess_checkout()\u003c/code\u003e function fails to properly validate the ownership of the provided \u003ccode\u003echange_plan_sub_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the manipulated \u003ccode\u003echange_plan_sub_id\u003c/code\u003e, the proration calculations are skewed, resulting in a significantly reduced or zeroed payment amount.\u003c/li\u003e\n\u003cli\u003eThe attacker completes the checkout process without making a legitimate payment and is granted access to the paid membership plan.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3445 allows attackers to bypass payment requirements and gain unauthorized access to premium content and features offered through the ProfilePress plugin. This can result in significant revenue loss for website owners relying on paid memberships. The number of affected websites is potentially large, given the popularity of WordPress and the ProfilePress plugin. This vulnerability could also damage the reputation of the affected website and erode trust among legitimate paying members.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to ProfilePress version 4.16.12 or later to patch CVE-2026-3445 (reference: vulnerability description).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ProfilePress Membership Bypass Attempt\u003c/code\u003e to your SIEM and tune for your environment to detect potential exploitation attempts by monitoring for the use of the \u003ccode\u003eppress_process_checkout\u003c/code\u003e AJAX action with suspicious \u003ccode\u003echange_plan_sub_id\u003c/code\u003e values (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eppress_process_checkout\u003c/code\u003e to identify potential exploit attempts (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T09:16:20Z","date_published":"2026-04-04T09:16:20Z","id":"/briefs/2026-04-profilepress-bypass/","summary":"The ProfilePress WordPress plugin before 4.16.12 is vulnerable to an unauthorized membership payment bypass, allowing authenticated attackers to obtain paid memberships without payment by manipulating subscription IDs during checkout.","title":"ProfilePress WordPress Plugin Membership Payment Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-profilepress-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Membership","version":"https://jsonfeed.org/version/1.1"}