CVE-2026-13352
Received Received - Intake

Arbitrary File Upload in ProfilePress WordPress Plugin

Vulnerability report for CVE-2026-13352, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Wordfence

Description

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowed_mime_types function. This is due to the unconditional registration of an upload_mimes filter that adds executable file extensions (.exe, .apk, .msi) to the global WordPress MIME allowlist, without scoping the expansion to digital-product upload contexts. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible. This filter is registered globally on every request regardless of whether the digital products feature is configured or in use, meaning the expanded MIME allowlist affects all WordPress upload contexts site-wide.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_brain profilepress to 4.16.18 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The ProfilePress WordPress plugin up to version 4.16.18 has an Arbitrary File Upload vulnerability. It unconditionally registers an upload_mimes filter that adds executable file extensions like .exe, .apk, and .msi to WordPress's global MIME allowlist. This allows authenticated attackers with author-level access or higher to upload potentially executable files, enabling remote code execution across the entire site.

Detection Guidance

Check WordPress admin logs for unauthorized file uploads, especially files with executable extensions like .exe, .apk, or .msi. Review the ProfilePress plugin settings for unexpected MIME type allowlist changes. Use server logs to identify uploads outside digital product contexts.

Impact Analysis

If you use the ProfilePress plugin, attackers could upload malicious executable files to your WordPress site. This could lead to remote code execution, allowing attackers to take control of your website, steal data, or install malware. The vulnerability affects all WordPress upload contexts site-wide, not just digital product uploads.

Compliance Impact

This vulnerability could lead to unauthorized access and data breaches, violating GDPR and HIPAA requirements for data protection and access control. A successful exploit may result in exposure of sensitive user data, triggering compliance violations and potential legal penalties.

Mitigation Strategies

Update the ProfilePress plugin to the latest version. Remove the global upload_mimes filter modification in the plugin code. Restrict author-level and higher user roles to prevent unauthorized uploads. Monitor for suspicious file uploads in WordPress directories.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart