ProfilePress Paid Membership Plugin
Moderate fix1 remedy
cpe:2.3:a:profilepress:user_registration,_login_form,_user_profile_&_membership:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 4.16.4
ProfilePress WordPress Plugin Unauthenticated Arbitrary Shortcode Execution Vulnerability
Vulnerability
Patched
A vulnerability allowing arbitrary shortcode execution has been identified in the ProfilePress WordPress plugin, specifically in versions through 4.16.4. This issue arises because the plugin does not properly validate user input before executing shortcodes, enabling unauthenticated users to execute arbitrary shortcodes on the site.
Impact
Exploitation of this vulnerability could lead to unauthorized users executing shortcodes, which may include actions like modifying user profiles or accessing sensitive information.
Reproduction
The vulnerability can be reproduced by sending a request to a site with the affected version of the ProfilePress plugin. The request must include a shortcode that the attacker wishes to execute. Since the vulnerability allows for arbitrary shortcode execution, any valid shortcode could be used, potentially including those that modify user data or access sensitive information.
Remediation
Users are advised to update the ProfilePress WordPress plugin to version 4.16.5 or later, where this vulnerability has been patched.
Added: Aug 16, 2025, 12:18 PM
Updated: Aug 16, 2025, 12:18 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
1.3exploitability
9.3remediation
7.7relevance
0.3threat
4.8urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.