CVE-2026-10820
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before version 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription. This allows any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference (IDOR).
Risk Assessment
The organization is at risk of unauthorized subscription cancellations by regular users, potentially leading to revenue loss, disruption of premium content access, and erosion of customer trust.
Recommendation
Immediately update the plugin to version 4.16.17 or later, which includes a fix for the IDOR vulnerability. After updating, verify that the subscription authorization mechanism works correctly.
Original NVD description (English source)
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.

