ProfilePress Missing Authorization Vulnerability Allows Subscription to Inactive Plans

A missing authorization vulnerability has been identified in the ProfilePress WordPress plugin, specifically in versions through 4.16.12. The issue arises in the 'process_checkout' function, which fails to properly verify the active status of membership plans when the 'change_plan_sub_id' parameter is used. This flaw enables authenticated users with Subscriber-level access and above to enroll in inactive membership plans by entering a chosen 'change_plan_sub_id' value during the checkout process.

Impact

Exploitation of this vulnerability allows authenticated users to subscribe to inactive membership plans, potentially leading to unauthorized access to content or features restricted to active subscribers.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a checkout request that includes an arbitrary 'change_plan_sub_id' value. The 'process_checkout' function will not enforce the active status check for the specified plan, allowing the user to subscribe to an inactive plan.

Remediation

Users are advised to update the ProfilePress WordPress plugin to version 4.16.13 or a later patched version.