PatchSiren cyber security CVE debrief
CVE-2026-10820 Paid Membership Plugin CVE debrief
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 has a vulnerability that allows any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference. This issue has a CVSS score of 8.1 and is classified as HIGH severity. The vulnerability was published on June 27, 2026, and last modified on June 29, 2026. The CVE record and NVD detail provide official information about this vulnerability.
- Vendor
- Paid Membership Plugin
- Product
- Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-27
- Original CVE updated
- 2026-06-29
- Advisory published
- 2026-06-27
- Advisory updated
- 2026-06-29
Who should care
Administrators and users of the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin should be aware of this vulnerability and take necessary actions to protect their sites. This vulnerability can be exploited by any authenticated user, making it a significant concern for WordPress site owners. The vulnerability allows for unauthorized cancellation of active subscriptions, which can have financial and reputational impacts.
Technical summary
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription. This allows any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating a high severity vulnerability. The vulnerability was published on June 27, 2026, and last modified on June 29, 2026.
Defensive priority
High priority should be given to updating the Paid Membership Plugin to version 4.16.17 or later. Site administrators should also monitor their sites for any suspicious activity related to subscription cancellations.
Recommended defensive actions
- Update the Paid Membership Plugin to version 4.16.17 or later.
- Monitor site activity for suspicious subscription cancellation attempts.
- Restrict access to sensitive subscription management features.
- Implement additional logging and monitoring to detect potential exploitation attempts.
- Consider implementing compensating controls, such as IP blocking or rate limiting, to prevent exploitation.
Evidence notes
The CVE record and NVD detail provide official information about this vulnerability. The WPScan reference provides additional context and details about the vulnerability. The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity.
Official resources
-
CVE-2026-10820 CVE record
CVE.org
-
CVE-2026-10820 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.