{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13642", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-25T02:56:43.143Z", "datePublished": "2025-12-09T15:23:48.459Z", "dateUpdated": "2026-04-08T16:49:58.055Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:58.055Z"}, "affected": [{"vendor": "properfraction", "product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.16.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint."}], "title": "ProfilePress <= 4.16.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4736d139-814e-4eeb-91e8-5ee41fc35a8f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L71"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L15"}, {"url": "https://plugins.trac.wordpress.org/changeset/3408055/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ngoc Quang Bach"}], "timeline": [{"time": "2025-11-25T02:14:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-09T15:53:52.116928Z", "id": "CVE-2025-13642", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T15:53:59.039Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13642", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-09T15:31:25.898342Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T15:32:00.533Z"}}], "cna": {"title": "ProfilePress <= 4.16.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ngoc Quang Bach"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "properfraction", "product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.16.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-25T02:14:38.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4736d139-814e-4eeb-91e8-5ee41fc35a8f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L71"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L15"}, {"url": "https://plugins.trac.wordpress.org/changeset/3408055/"}], "descriptions": [{"lang": "en", "value": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:58.055Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13642", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:58.055Z", "dateReserved": "2025-11-25T02:56:43.143Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-09T15:23:48.459Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint."}], "id": "CVE-2025-13642", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-09T16:17:35.757", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L71"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3408055/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4736d139-814e-4eeb-91e8-5ee41fc35a8f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:35:37.976349+00:00", "value": {"mitigation_remediation": ["Upgrade the ProfilePress plugin to version 4.16.8 or later, which removes the unsanitized type parameter.", "Restrict access to the pp_preview_form endpoint so that only Administrator or explicitly trusted roles can use it; consider disabling the form preview feature if not needed.", "Validate and sanitize all input parameters before processing shortcodes, following CWE\u201194 best practices, and disable shortcodes that are not required for normal site operation."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary shortcode execution enabling code execution"}, "threat_synthesis": {"affected_systems": "This issue affects all releases of the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress up to and including version 4.16.7. The vulnerability is linked to the properfraction vendor and pertains to the WordPress plugin named ProfilePress.", "description_and_impact": "The ProfilePress plugin is vulnerable to arbitrary shortcode execution due to insufficient sanitization of the type parameter in the form preview feature. Authenticated users with Subscriber level or higher can trigger the pp_preview_form endpoint and inject arbitrary shortcodes, which may result in unintended code execution or data disclosure. This weakness is classified as CWE\u201194 and represents a moderate severity flaw (CVSS 5.4).", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate risk, while the EPSS score of < 1% suggests exploitation is unlikely at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to be authenticated with at least Subscriber\u2011level access, as the endpoint is restricted to logged\u2011in users. Once authenticated, the attacker can construct arbitrary shortcodes and trigger their execution via the preview functionality, potentially leading to code execution depending on the shortcode payloads that the site accepts."}}}}, "created": "2025-12-10T17:49:31.723184+00:00", "updated": "2026-04-21T17:45:16.480982+00:00", "vendors": ["properfraction", "properfraction$PRODUCT$profilepress", "wordpress", "wordpress$PRODUCT$wordpress"]}