CVE-2026-10820
HIGH 8.1 PoC AVAILABLEThe Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference.
Public exploit or PoC code exists. Modeled probability is still low, but the barrier to attack is reduced — watch closely.
Exploitation likelihood
0.2%chance of exploitation in 30 days · 13th percentile
Impact if exploited
8.1CVSS 3.1 · HIGH
- ConfidentialityNone
- IntegrityHigh
- AvailabilityHigh
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ⚠Privileges: Requires a low-privilege account
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Proof of concept & exploit code
Listed for defensive triage and patch prioritization.
Affected
Vendors Unknown
Products Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content
Weakness (CWE)
Not classified.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H