cleantalk
Vulnerabilities and Security Researches

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress, CVE-2025-13642

CVE, Research URL

CVE-2025-13642

Home page URL

Security reports for Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Application

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Published on
Dec 09, 2025
Research Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint.
Affected versions
max 4.16.8.
Status
vulnerable
Previous vulnerability researches
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2025-30819) , Apr 02, 2025
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2023-23893) , Jun 10, 2024
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2025-47606) , May 09, 2025
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2022-4974) , Nov 15, 2024
Simple Giveaways – Grow your business, email lists and traffic with contests (CVE-2021-24298) , Jun 07, 2024
New vulnerability
Lucky Wheel for WooCommerce – Spin a Sale (CVE-2025-14509) , Jan 10, 2026
WP Voting Contest Lite (CVE-2025-60086) , Jan 10, 2026
Custom Related Posts (CVE-2025-68033) , Jan 10, 2026
Image Photo Gallery Final Tiles Grid (CVE-2025-13693) , Jan 10, 2026
Image Photo Gallery Final Tiles Grid (CVE-2025-14455) , Jan 10, 2026