CVE-2026-3309
Received Received - Intake
Arbitrary Shortcode Execution in ProfilePress Plugin via Billing Fields

Publication date: 2026-04-04

Last updated on: 2026-04-04

Assigner: Wordfence

Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing field values from the checkout process to be interpolated into shortcode template strings that are subsequently processed without proper sanitization of shortcode syntax. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes by submitting crafted billing field values during the checkout process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-04
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3309
EUVD
EUVD-2026-18997
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
profilepress paid_membership_plugin to 4.16.11 (inc)
profilepress paid_membership_plugin to 4.16.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3309 is a vulnerability in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress. It allows unauthenticated attackers to execute arbitrary shortcodes by submitting specially crafted billing field values during the checkout process.

This happens because the plugin interpolates user-supplied billing field values into shortcode template strings without properly sanitizing the shortcode syntax, enabling arbitrary shortcode execution.

Impact Analysis

The vulnerability can allow attackers to execute arbitrary shortcodes on your WordPress site without authentication. This could lead to unauthorized actions or code execution within the context of the plugin.

Such unauthorized shortcode execution can compromise the integrity and security of your website, potentially leading to data manipulation, exposure of sensitive information, or other malicious activities depending on what the shortcodes are capable of.

Detection Guidance

Detection of this vulnerability involves checking if your WordPress site is running the affected Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin version 4.16.11 or earlier.

You can look for suspicious or crafted shortcode syntax in the billing fields submitted during the checkout process, as these fields are the attack vector.

Since the vulnerability involves arbitrary shortcode execution via billing fields, monitoring logs for unusual shortcode patterns in checkout submissions may help detect exploitation attempts.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin to version 4.16.12 or later, where the vulnerability is fixed.

The fix involves sanitizing billing-related user meta data by applying functions like strip_shortcodes() and esc_attr() to billing fields before rendering, preventing execution of arbitrary shortcodes.

If updating immediately is not possible, consider implementing input sanitization or filtering on billing fields to strip or escape shortcode syntax to reduce risk.

Additionally, monitor checkout submissions for suspicious shortcode patterns and restrict unauthenticated users from submitting crafted billing data if feasible.

Compliance Impact

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes by submitting crafted billing field values during the checkout process. This could potentially lead to unauthorized code execution and manipulation of user data.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for attackers to execute arbitrary code and possibly access or manipulate billing information could pose risks to data confidentiality and integrity, which are key concerns in these regulations.

Therefore, organizations using the affected plugin versions might face challenges in maintaining compliance with data protection regulations if this vulnerability is exploited, due to potential unauthorized access or alteration of personal billing data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3309. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart