Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress < 4.16.5 – Unauthenticated Arbitrary Shortcode Execution | CVE 2025-8878 | Plugin Vulnerabilities

Description

The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Fixed in 4.16.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9309b8bf-f581-4a56-a1ed-3941ebb36127

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter, Kishan Vyas

Verified

No

WPVDB ID

0c30b43b-43a9-4d2e-b03f-a28ce3639ef0

Timeline

Publicly Published

2025-08-15 (about 8 months ago)

Added

2025-08-15 (about 8 months ago)

Last Updated

2025-08-16 (about 8 months ago)

Other

Published

Title

Published

2024-05-23

Title

WP Photo Album Plus < 8.7.00.004 - Unauthenticated Arbitrary Shortcode Execution

Published

2024-11-18

Title

GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress < 7.1.6 - Unauthenticated Arbitrary Shortcode Execution via gamipress_get_user_earnings

Published

2025-02-20

Title

Head, Footer and Post Injections < 3.3.1 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments

Published

2014-08-01

Title

WP-Syntax < 0.9.10 - Remote Comm& Execution

Published

2021-02-23

Title

YITH WooCommerce Gift Cards Premium < 3.3.1 - RCE via Arbitrary File Upload