CVE-2026-1926 in Subscriptions for WooCommerce Plugin
Summary
by MITRE • 03/18/2026
The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wps_sfw_admin_cancel_susbcription()` function in all versions up to, and including, 1.9.2. This is due to the function being hooked to the `init` action without any authentication or authorization checks, and only performing a non-empty check on the nonce parameter without actually validating it via `wp_verify_nonce()`. This makes it possible for unauthenticated attackers to cancel any active WooCommerce subscription by sending a crafted GET request with an arbitrary nonce value via the `wps_subscription_id` parameter.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified in CVE-2026-1926 affects the Subscriptions for WooCommerce plugin, a widely used WordPress extension that manages subscription-based commerce functionality. This plugin integrates seamlessly with WooCommerce to handle recurring payments and subscription services for online stores. The flaw exists within the plugin's administrative functionality where the `wps_sfw_admin_cancel_susbcription()` function lacks proper authorization controls, creating a critical security gap that allows unauthorized modification of subscription data. The vulnerability stems from the function being improperly hooked to the WordPress `init` action without any capability verification or authentication checks, making it accessible to any user regardless of their privileges or authentication status.
The technical implementation of this vulnerability demonstrates a classic lack of input validation and authorization controls that aligns with CWE-863, or "Incorrect Authorization." The function accepts a `wps_subscription_id` parameter through GET requests and processes it without proper nonce validation. While the code performs a basic non-empty check on the nonce parameter, it fails to utilize WordPress's established nonce verification mechanism `wp_verify_nonce()` which is the standard security practice for preventing unauthorized actions. This omission creates a scenario where attackers can forge requests with arbitrary nonce values, bypassing the intended security controls. The vulnerability is particularly dangerous because it operates at the administrative level, allowing attackers to manipulate subscription statuses without needing valid credentials or administrative privileges.
The operational impact of this vulnerability extends beyond simple data modification, representing a significant threat to e-commerce operations and customer relationships. An unauthenticated attacker can cancel any active subscription simply by crafting a GET request with a valid subscription ID and a forged nonce value, potentially leading to revenue loss, customer service issues, and compromised business operations. This vulnerability affects all versions up to and including 1.9.2, indicating a prolonged period during which the flaw remained undetected and exploitable. The attack vector is particularly concerning as it requires minimal technical expertise to execute, making it attractive to threat actors who may target WooCommerce stores for financial gain or to disrupt business operations.
Mitigation strategies for this vulnerability should focus on immediate remediation through plugin updates to versions that properly implement authorization checks and nonce validation. The fix should ensure that the `wps_sfw_admin_cancel_susbcription()` function requires proper user capabilities before executing subscription cancellation operations, typically using WordPress's `current_user_can()` function to verify administrative privileges. Additionally, the nonce validation must be properly implemented using `wp_verify_nonce()` to ensure that all requests are authenticated and authorized. Organizations should also implement monitoring for suspicious subscription modification activities and consider network-level protections such as web application firewalls that can detect and block malformed requests attempting to exploit this vulnerability. This remediation aligns with ATT&CK technique T1078.004, which covers valid accounts and credential access, as the vulnerability essentially allows unauthorized access to administrative functions through the bypass of authentication mechanisms.