{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8878", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-11T22:18:38.543Z", "datePublished": "2025-08-16T11:11:24.022Z", "dateUpdated": "2026-04-08T17:09:35.493Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:35.493Z"}, "affected": [{"vendor": "properfraction", "product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.16.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "title": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress <= 4.16.4 - Unauthenticated Arbitrary Shortcode Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9309b8bf-f581-4a56-a1ed-3941ebb36127?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/RegistrationAuth.php#L131"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L318"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L329"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L339"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L385"}, {"url": "https://plugins.trac.wordpress.org/changeset/3345295/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}, {"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "timeline": [{"time": "2025-08-11T22:38:22.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-15T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-18T18:02:12.200790Z", "id": "CVE-2025-8878", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T18:04:35.028Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8878", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-18T18:02:12.200790Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T18:03:55.949Z"}}], "cna": {"title": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress <= 4.16.4 - Unauthenticated Arbitrary Shortcode Execution", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}, {"lang": "en", "type": "finder", "value": "Kishan Vyas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "properfraction", "product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.16.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-11T22:38:22.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-15T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9309b8bf-f581-4a56-a1ed-3941ebb36127?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/RegistrationAuth.php#L131"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L318"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L329"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L339"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L385"}, {"url": "https://plugins.trac.wordpress.org/changeset/3345295/"}], "descriptions": [{"lang": "en", "value": "The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-16T11:11:24.022Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8878", "state": "PUBLISHED", "dateUpdated": "2025-08-18T18:04:35.028Z", "dateReserved": "2025-08-11T22:18:38.543Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-16T11:11:24.022Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."}, {"lang": "es", "value": "El complemento The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile &amp; Restrict Content \u2013 ProfilePress para WordPress es vulnerable a la ejecuci\u00f3n de shortcodes arbitrarios en todas las versiones hasta la 4.16.4 incluida. Esto se debe a que el software permite a los usuarios ejecutar una acci\u00f3n que no valida correctamente un valor antes de ejecutar do_shortcode. Esto permite que atacantes no autenticados ejecuten shortcodes arbitrarios."}], "id": "CVE-2025-8878", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-16T12:15:32.127", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/RegistrationAuth.php#L131"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L318"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L329"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L339"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L385"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3345295/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9309b8bf-f581-4a56-a1ed-3941ebb36127?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:27:51.228652+00:00", "value": {"mitigation_remediation": ["Upgrade the Paid Membership Plugin to a patched release (e.g., 4.16.5 or later) that eliminates the unsanitized do_shortcode call.", "If an update cannot be applied immediately, consider disabling or uninstalling the plugin until a fixed version is available to prevent exposure.", "As a stop\u2011gap, configure WordPress or the plugin itself to restrict shortcode execution to authenticated users only and audit existing shortcodes for potential malicious content."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Arbitrary Shortcode Execution"}, "threat_synthesis": {"affected_systems": "All WordPress installations that use the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content \u2013 ProfilePress plugin with a version of 4.16.4 or earlier are affected. Users running any of these plugin versions should review their installation and determine whether the plugin is in use and the extent of its exposure.\n", "description_and_impact": "The vulnerability in the Paid Membership Plugin allows an unauthenticated user to pass an unsanitized value to a routine that calls do_shortcode without proper validation. This flaw enables the execution of arbitrary shortcodes, which can be leveraged to run malicious code or otherwise alter the behavior of the WordPress site. The weakness is a classic instance of code injection as identified by CWE-94.\n", "risk_and_exploitability": "The CVSS v3 score of 6.5 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that the likelihood of real\u2011world exploitation is low, and the issue is not currently listed in the CISA KEV catalog. The flaw can be triggered without authentication, implying the attacker can target the site publicly, likely by crafting a request that invokes the shortcode parser. The impact is confined to the ability to run arbitrary shortcodes, which may lead to code execution, data exfiltration, or other malicious actions depending on the shortcodes the attacker inserts.\n"}}}}, "created": "2026-04-21T03:30:26.338604+00:00", "updated": "2026-04-21T03:30:26.338619+00:00", "vendors": []}