cleantalk
Vulnerabilities and Security Researches

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress, CVE-2025-13642

CVE, Research URL

CVE-2025-13642

Home page URL

Security reports for Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Application

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Published on
Dec 09, 2025
Research Description
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint.
Affected versions
max 4.16.8.
Status
vulnerable
Previous vulnerability researches
SKT Skill Bar (CVE-2025-66090) , Dec 11, 2025
SKT Skill Bar (CVE-2024-38698) , Jul 15, 2024
SKT Skill Bar (CVE-2025-47482) , May 09, 2025
SKT Skill Bar (CVE-2025-26880) , Apr 15, 2025
New vulnerability
Review Disclaimer (CVE-2025-67628) , Jan 10, 2026
MAS Videos (CVE-2025-62753) , Jan 10, 2026
Postem Ipsum (CVE-2025-14397) , Jan 10, 2026
WH Tweaks (CVE-2025-67630) , Jan 10, 2026
Advanced FAQ Manager (CVE-2025-67556) , Jan 10, 2026