WordPress ProfilePress Plugin CVE-2026-3445 Allows Membership Payment Bypass
Summary
CVE-2026-3445 is a high-severity vulnerability in the ProfilePress WordPress plugin that allows unauthorized membership payment bypass. The flaw affects the Paid Membership Plugin and User Registration Form component, enabling attackers to bypass payment requirements for premium memberships. CVSS score is 7.1.
Threat Analysis
CVE-2026-3445 is a high-severity unauthorized membership payment bypass vulnerability in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress, with a CVSS score of 7.1.
Affected Products: ProfilePress WordPress plugin (wp-user-avatar), all versions up to the patched release.
Impact: Attackers can exploit this vulnerability to bypass payment requirements for premium memberships, gaining unauthorized access to paid content and features on WordPress sites using this plugin.
Recommended Mitigations: Update the ProfilePress plugin to the latest patched version (changeset 3474509 or later). WordPress administrators should review active memberships for signs of unauthorized access and audit payment processing logs.