CVE-2026-3309
Arbitrary Shortcode Execution in ProfilePress Plugin via Billing Fields
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| profilepress | paid_membership_plugin | to 4.16.11 (inc) |
| profilepress | paid_membership_plugin | to 4.16.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3309 is a vulnerability in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress plugin for WordPress. It allows unauthenticated attackers to execute arbitrary shortcodes by submitting specially crafted billing field values during the checkout process.
This happens because the plugin interpolates user-supplied billing field values into shortcode template strings without properly sanitizing the shortcode syntax, enabling arbitrary shortcode execution.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary shortcodes on your WordPress site without authentication. This could lead to unauthorized actions or code execution within the context of the plugin.
Such unauthorized shortcode execution can compromise the integrity and security of your website, potentially leading to data manipulation, exposure of sensitive information, or other malicious activities depending on what the shortcodes are capable of.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your WordPress site is running the affected Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress plugin version 4.16.11 or earlier.
You can look for suspicious or crafted shortcode syntax in the billing fields submitted during the checkout process, as these fields are the attack vector.
Since the vulnerability involves arbitrary shortcode execution via billing fields, monitoring logs for unusual shortcode patterns in checkout submissions may help detect exploitation attempts.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content β ProfilePress plugin to version 4.16.12 or later, where the vulnerability is fixed.
The fix involves sanitizing billing-related user meta data by applying functions like strip_shortcodes() and esc_attr() to billing fields before rendering, preventing execution of arbitrary shortcodes.
If updating immediately is not possible, consider implementing input sanitization or filtering on billing fields to strip or escape shortcode syntax to reduce risk.
Additionally, monitor checkout submissions for suspicious shortcode patterns and restrict unauthenticated users from submitting crafted billing data if feasible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes by submitting crafted billing field values during the checkout process. This could potentially lead to unauthorized code execution and manipulation of user data.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for attackers to execute arbitrary code and possibly access or manipulate billing information could pose risks to data confidentiality and integrity, which are key concerns in these regulations.
Therefore, organizations using the affected plugin versions might face challenges in maintaining compliance with data protection regulations if this vulnerability is exploited, due to potential unauthorized access or alteration of personal billing data.