CVE Catalog

CVE-2026-10820

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile — higher than 3% of all known CVEs

Summary

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before version 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription. This allows any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference (IDOR).

Risk Assessment

The organization is at risk of unauthorized subscription cancellations by regular users, potentially leading to revenue loss, disruption of premium content access, and erosion of customer trust.

Recommendation

Immediately update the plugin to version 4.16.17 or later, which includes a fix for the IDOR vulnerability. After updating, verify that the subscription authorization mechanism works correctly.

Original NVD description (English source)

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS