Arbitrary Shortcode Execution in ProfilePress Plugin for WordPress
CVE-2026-3309

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress
Vendor: CVE Published:; 4 April 2026

What is CVE-2026-3309?

The ProfilePress plugin for WordPress is susceptible to a vulnerability that allows arbitrary shortcode execution. This security flaw is present in all versions up to 4.16.11 due to improper handling of user-supplied billing field values during the checkout process. Attackers can exploit this weakness by submitting specially crafted input that gets executed without adequate sanitization of shortcode syntax, enabling unauthorized shortcode commands to run. This could lead to unauthorized access or other malicious activities, emphasizing the need for prompt updates and security measures.

Affected Version(s)

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress 0 <= 4.16.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2026
Vulnerability Reserved
Feb 26, 2026

Credit

Nabil Irawan

CVE-2026-3309 Data

JSON