CVE-2026-3445 is a missing authorization vulnerability (CWE-862) in the ProfilePress WordPress plugin that enables authenticated attackers to bypass payment for paid lifetime membership plans. The flaw arises from the lack of ownership verification on the change_plan_sub_id parameter within the process_checkout() function, which is invoked through the ppress_process_checkout AJAX action. Attackers with subscriber or higher privileges can reference another user's active subscription to manipulate proration calculations during checkout, effectively obtaining paid memberships without payment. The vulnerability has a CVSS 3.1 base score of 7.1, indicating high severity. No patch or official remediation has been disclosed as of the publication date.

An attacker with subscriber-level or higher access can exploit this vulnerability to obtain paid lifetime membership plans without making payment by manipulating subscription references during checkout. This leads to unauthorized access to paid content or services, resulting in financial loss and potential abuse of membership privileges. The vulnerability does not impact confidentiality beyond limited information disclosure (low), but has a high impact on integrity due to unauthorized membership acquisition. Availability is not affected.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level user capabilities where possible and monitor for suspicious checkout activity. Avoid granting unnecessary privileges to users and consider disabling or limiting the use of the affected AJAX action if feasible. Follow updates from the plugin vendor for official patches or mitigations.