ProfilePress WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Arbitrary Subscription Cancellation and Expiration

A vulnerability exists in the ProfilePress plugin for WordPress, specifically in versions up to and including 4.16.11. The issue is an Insecure Direct Object Reference (IDOR) caused by a lack of ownership validation on the 'change_plan_sub_id' parameter within the 'process_checkout()' function. This vulnerability allows authenticated users with Subscriber-level access and above to cancel and expire any active subscription of another user by manipulating the subscription ID during the checkout process. As a result, victims immediately lose access to paid services.

Impact

Exploitation of this vulnerability allows for unauthorized cancellation and expiration of user subscriptions, leading to a loss of paid access for the affected users.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'ppress_process_checkout' AJAX handler. The request must include a 'change_plan_sub_id' parameter with the ID of a subscription that the user does not own. The 'process_checkout()' function will then cancel and expire the specified subscription without any ownership verification.

Remediation

Users are advised to update the ProfilePress WordPress plugin to version 4.16.12 or later.