Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint.
Published: 2025-12-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary shortcode execution enabling code execution
Action: Immediate Patch
AI Analysis

Impact

The ProfilePress plugin is vulnerable to arbitrary shortcode execution due to insufficient sanitization of the type parameter in the form preview feature. Authenticated users with Subscriber level or higher can trigger the pp_preview_form endpoint and inject arbitrary shortcodes, which may result in unintended code execution or data disclosure. This weakness is classified as CWE‑94 and represents a moderate severity flaw (CVSS 5.4).

Affected Systems

This issue affects all releases of the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress up to and including version 4.16.7. The vulnerability is linked to the properfraction vendor and pertains to the WordPress plugin named ProfilePress.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate risk, while the EPSS score of < 1% suggests exploitation is unlikely at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated with at least Subscriber‑level access, as the endpoint is restricted to logged‑in users. Once authenticated, the attacker can construct arbitrary shortcodes and trigger their execution via the preview functionality, potentially leading to code execution depending on the shortcode payloads that the site accepts.

Generated by OpenCVE AI on April 21, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ProfilePress plugin to version 4.16.8 or later, which removes the unsanitized type parameter.
  • Restrict access to the pp_preview_form endpoint so that only Administrator or explicitly trusted roles can use it; consider disabling the form preview feature if not needed.
  • Validate and sanitize all input parameters before processing shortcodes, following CWE‑94 best practices, and disable shortcodes that are not required for normal site operation.

Generated by OpenCVE AI on April 21, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Properfraction
Properfraction profilepress
Wordpress
Wordpress wordpress
Vendors & Products Properfraction
Properfraction profilepress
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 15:30:00 +0000

Type Values Removed Values Added
Description The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint.
Title ProfilePress <= 4.16.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Properfraction Profilepress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:58.055Z

Reserved: 2025-11-25T02:56:43.143Z

Link: CVE-2025-13642

cve-icon Vulnrichment

Updated: 2025-12-09T15:32:00.533Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:17:35.757

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:45:16Z

Weaknesses