What the vulnerability does
01Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint.
Explanation of Vulnerability in Simple Terms
02Summary
ProfilePress versions up to 4.16.7 contain a code injection vulnerability that allows authenticated users to inject and execute arbitrary code. An attacker with a low-privilege account can modify data in ways that lead to code execution on the site. The vulnerability affects the plugin's core functionality and requires an active user account to exploit.
What an attacker can do
03Attacker Capabilities
Run arbitrary code on the site by injecting malicious input through authenticated requests.
Potential impact on your site
04Site Impact
Any registered user can execute code on your site, potentially compromising data, modifying content, or taking control of the installation.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account (e.g., subscriber or contributor role) on the site.
Key dates
06Disclosure timeline
December 9, 2025
CVE published
April 8, 2026
Record updated