Primary

Context

ProfilePress WordPress Plugin Shortcode Execution Vulnerability

Vulnerability

Patched

A vulnerability allowing arbitrary shortcode execution has been identified in the ProfilePress WordPress plugin, specifically in versions through 4.16.7. This issue arises from inadequate input sanitization on the 'type' parameter within the form preview feature. As a result, authenticated attackers with Subscriber-level access or higher can execute arbitrary shortcodes via the 'pp_preview_form' endpoint.

Impact

Exploitation of this vulnerability allows for arbitrary shortcode execution, which could be used to manipulate content or functionality on the WordPress site.

Remediation

Users are advised to update the ProfilePress WordPress plugin to version 4.16.8 or a later patched version.

Added: Dec 9, 2025, 8:49 PM

Updated: Dec 9, 2025, 8:49 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

6.1

remediation

7.7

relevance

1.4

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.3

exploitability

6.1

remediation

7.7

relevance

1.4

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ProfilePress WordPress Plugin Shortcode Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

ProfilePress

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating