Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing field values from the checkout process to be interpolated into shortcode template strings that are subsequently processed without proper sanitization of shortcode syntax. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes by submitting crafted billing field values during the checkout process.
Published: 2026-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin permits unauthenticated users to submit crafted billing field values during checkout. These values are interpolated into shortcode templates and processed without proper sanitization, allowing arbitrary shortcode execution. This exposes the site to remote code execution by enabling attackers to embed malicious PHP or other commands into shortcodes. The weakness aligns with code injection (CWE‑94).

Affected Systems

All WordPress sites that use the ProfilePress plugin version 4.16.11 or earlier are affected. The vulnerability exists across all features of the plugin, including membership management, e‑commerce checkout, user registration, login, profile handling, and restricted content services. No specific WordPress core or theme versions are mentioned; the issue is confined to the plugin’s code.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Because the exploitation does not require authentication and can be performed via the publicly accessible checkout form, the likelihood of real‑world attacks is significant. An attacker could execute arbitrary shortcodes that result in privilege escalation, defacement, data exfiltration, or malware installation. The attack vector is through unchecked billing field input during checkout, making payload delivery straightforward for malicious actors.

Generated by OpenCVE AI on April 4, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ProfilePress plugin to the latest version (4.16.12 or later) if an official patch is released.
  • If a patch is not yet available, temporarily block or sanitize the checkout billing fields to prevent arbitrary shortcode input.
  • Add firewall rules to detect and block malicious shortcode patterns in user‑submitted data.
  • Monitor server and application logs for unusual shortcode usage or error messages that may indicate exploitation.

Generated by OpenCVE AI on April 4, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Properfraction
Properfraction paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress
Wordpress wordpress
Vendors & Products Properfraction
Properfraction paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing field values from the checkout process to be interpolated into shortcode template strings that are subsequently processed without proper sanitization of shortcode syntax. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes by submitting crafted billing field values during the checkout process.
Title Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:13.894Z

Reserved: 2026-02-26T22:14:57.847Z

Link: CVE-2026-3309

cve-icon Vulnrichment

Updated: 2026-04-06T18:00:07.843Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T12:16:03.237

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-3309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:20:49Z

Weaknesses