CVE-2026-1926 affects Subscriptions for WooCommerce versions 1.9.2 and below. It’s a missing authorisation vulnerability, and it’s a textbook example of a broken access control pattern that crops up more often than you’d hope in WordPress plugins.
What happened
The plugin has an admin function called wps_sfw_admin_cancel_susbcription() (note: the function does have a typo in it, “susbcription”). Despite the name suggesting it’s admin-only, this function is hooked to the WordPress init action, which fires on every page load, for every visitor.
The function accepts GET parameters to cancel a subscription. It does check for a nonce parameter, but here’s the critical mistake: it only checks that the nonce exists and is non-empty. It doesn’t actually validate it with wp_verify_nonce():
if ( isset( $_GET['wps_subscription_status_admin'] )
&& isset( $_GET['wps_subscription_id'] )
&& isset( $_GET['_wpnonce'] )
&& ! empty( $_GET['_wpnonce'] )
) {
// Cancels the subscription - no current_user_can() check
// No call to wp_verify_nonce()
// Any visitor can reach this code
}There’s no call to current_user_can(), and no nonce verification. Three missing security controls in one function.
What this means in practice
An unauthenticated attacker can cancel any active subscription with a single GET request, like this:
https://example.com/?wps_subscription_status_admin=cancel&wps_subscription_id=123&_wpnonce=anything-it-doesnt-matter
Since WooCommerce subscription IDs are sequential WordPress post IDs, an attacker could iterate through them and cancel every active subscription on a site.
The same pattern exists in a reactivation function too, meaning an attacker could also reactivate on-hold subscriptions. That one didn’t get a separate CVE, but it’s the same class of bug.
The irony is that other functions in the same file handle nonces properly, using wp_verify_nonce() correctly. The cancel & reactivate functions are the odd ones out.
How to check if you’re affected
If you’re running Subscriptions for WooCommerce, check your version:
# Check if you're running subscriptions-for-woocommerce <= 1.9.2 wp plugin list --name=subscriptions-for-woocommerce --fields=name,version,status
What to do
Simple… update to version 1.9.3 or later. The patch adds proper capability checks and nonce validation.
This is a good reminder that function names and class locations don’t provide security. A method in an “admin” class, hooked to a public action, is still public. WordPress access control depends on explicit checks: current_user_can() for authorisation and wp_verify_nonce() for request validation. Skip either one, and you’ve got an open door.