Primary

Context

ProfilePress WordPress Plugin Unauthenticated Shortcode Execution Vulnerability

Vulnerability

Patched

A vulnerability exists in the ProfilePress WordPress plugin, specifically in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile, and Restrict Content components, all versions through 4.16.11. The issue allows for arbitrary shortcode execution. This vulnerability arises because the plugin improperly sanitizes user-supplied billing information from the checkout process, allowing unauthenticated users to execute custom shortcodes by submitting crafted billing values. The vulnerability has been patched in version 4.16.12.

Impact

Exploitation of this vulnerability allows for arbitrary shortcode execution, which could lead to various impacts depending on the executed shortcode.

Remediation

Users are advised to update the ProfilePress WordPress plugin to version 4.16.12 or later.

Added: Apr 4, 2026, 12:17 PM

Updated: Apr 4, 2026, 12:17 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

7.7

remediation

7.7

relevance

5.4

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

7.7

remediation

7.7

relevance

5.4

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ProfilePress WordPress Plugin Unauthenticated Shortcode Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

ProfilePress Paid Membership Plugin

ProfilePress User Profile

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating