CVE-2026-1926
Subscriptions for WooCommerce <= 1.9.2 - Missing Authorization to Unauthenticated Arbitrary Subscription CancellationThe Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wps_sfw_admin_cancel_susbcription()` function in all versions up to, and including, 1.9.2. This is due to the function being hooked to the `init` action without any authentication or authorization checks, and only performing a non-empty check on the nonce parameter without actually validating it via `wp_verify_nonce()`. This makes it possible for unauthenticated attackers to cancel any active WooCommerce subscription by sending a crafted GET request with an arbitrary nonce value via the `wps_subscription_id` parameter.
We have discovered 847 live websites that are affected by CVE-2026-1926.
Affected Software
| Product |  Subscriptions For Woocommerce |
| Category | Wordpress Plugins |
| Vulnerable Domains | 847 live websites (69% of Subscriptions For Woocommerce install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 45 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Mar 18, 2026
- Updated - Apr 8, 2026
Credits
- shrikant bhosale (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-1926 United States | 365 websites |
 GB | 89 websites |
 Germany | 48 websites |
 Cyprus | 35 websites |
 France | 33 websites |
 South Africa | 21 websites |
 Canada | 21 websites |
 Australia | 18 websites |
 Spain | 18 websites |
 Netherlands | 17 websites |
Website Distribution by TLD
Number of websites using CVE-2026-1926| .com | 446 websites |
| .org | 72 websites |
| .co.uk | 51 websites |
| .net | 22 websites |
| .com.au | 18 websites |
| .nl | 15 websites |
| .de | 13 websites |
| .com.br | 13 websites |
| .ca | 12 websites |
| .fr | 10 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-1926
Top websites that are affected by CVE-2026-1926. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **************.com | United States | ***,*** | |
| ********.net | GB | ***,*** | |
| ******.org | United States | ***,*** | |
| ********************.com | United States | ***,*** | |
| **************.com | United States | ***,*** | |
| ****************.com | United States | ***,*** | |
| **************.com | United States | ***,*** | |
| ************.co | United States | ***,*** | |
| ******************.com | GB | ***,*** | |
| **********.com | United States | *,***,*** |
FAQ
CVE-2026-1926 is Missing Authorization in Subscriptions For Woocommerce
A total of 847 websites have been identified as vulnerable to CVE-2026-1926, based on global website indexing conducted by WebTechSurvey.
The Subscriptions For Woocommerce is affected by the CVE-2026-1926 vulnerability.
Subscriptions For Woocommerce versions up to and including 1.9.2 are vulnerable to CVE-2026-1926.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/eabfdf29-eca9-4e4b-b809-23a83f5a91ac?source=cve
- https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/tags/1.9.0/admin/class-subscriptions-for-woocommerce-admin.php#L831
- https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/trunk/admin/class-subscriptions-for-woocommerce-admin.php#L831
- https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/tags/1.9.0/includes/class-subscriptions-for-woocommerce.php#L248
- https://plugins.trac.wordpress.org/browser/subscriptions-for-woocommerce/trunk/includes/class-subscriptions-for-woocommerce.php#L248
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3470887%40subscriptions-for-woocommerce%2Ftrunk&old=3449291%40subscriptions-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail=