Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress Membership Payment Bypass Vulnerability

A vulnerability exists in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress, affecting all versions through 4.16.11. The issue arises from a lack of proper ownership verification on the 'change_plan_sub_id' parameter within the 'process_checkout()' function. This flaw allows authenticated attackers with subscriber-level access or higher to manipulate proration calculations by referencing another user's active subscription during the checkout process. As a result, they can obtain paid lifetime membership plans without making a payment, using the 'ppress_process_checkout' AJAX action.

Impact

Exploitation of this vulnerability allows for unauthorized access to paid lifetime membership plans, bypassing the required payment.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can initiate the checkout process while referencing another user's active subscription. The absence of ownership verification on the 'change_plan_sub_id' parameter allows manipulation of proration calculations, enabling the acquisition of a paid lifetime membership without payment.

Remediation

Users are advised to update the plugin to version 4.16.12 or a newer patched version.