ProfilePress < 4.16.8 – Authenticated (Subscriber+) Arbitrary Shortcode Execution | CVE 2025-13642 | Plugin Vulnerabilities

Description

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint.

Affects Plugins

Fixed in 4.16.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4736d139-814e-4eeb-91e8-5ee41fc35a8f

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Ngoc Quang Bach (maysbachs)

Verified

No

WPVDB ID

6cee01a5-ba85-4c33-8611-57a096ef824c

Timeline

Publicly Published

2025-12-08 (about 5 months ago)

Added

2025-12-09 (about 5 months ago)

Last Updated

2025-12-09 (about 5 months ago)

Other

Published

Title

Published

2025-10-08

Title

xSmart <= 1.2.9.4 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Published

2025-03-28

Title

Shortcodes by United Themes < 5.1.7 - Unauthenticated Arbitrary Shortcode Execution

Published

2019-06-11

Title

Insert or Embed Articulate Content into WordPress < 4.2999 - Unauthenticated RCE

Published

2014-11-20

Title

CM Download Manager < 2.0.4 - Unauthenticated Code Injection

Published

2024-12-28

Title

Ninja Forms < 3.8.23 - Subscriber+ Arbitrary Shortcode Execution