Arbitrary Shortcode Execution in ProfilePress Plugin for WordPress
CVE-2025-8878

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Vendor: CVE Published:; 16 August 2025

What is CVE-2025-8878?

The ProfilePress plugin for WordPress has a vulnerability that permits arbitrary shortcode execution due to inadequate validation of user inputs. This flaw exists in all versions up to 4.16.4, allowing unauthenticated attackers to exploit the vulnerability by triggering actions that utilize the do_shortcode function without proper checks. As a result, attackers can execute arbitrary shortcodes, potentially compromising the security of WordPress sites utilizing this plugin.

Affected Version(s)

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress * <= 4.16.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-user-avatar...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 16, 2025
Vulnerability Reserved
Aug 11, 2025

Credit

Matthew Rollings

Kishan Vyas