What is the impact of CVE-2026-3309?

CVE-2026-3309 allows an attacker to execute arbitrary shortcodes on your WordPress site, potentially leading to code execution, data breaches, or website defacement. It's crucial to patch immediately.

How can I confirm if my site is vulnerable?

If you are using ProfilePress version 4.16.11 or earlier, your site is potentially vulnerable. Check your plugin version via the WordPress admin dashboard or using the `wp plugin list` command.

Is there a workaround if I can't update immediately?

There is no reliable workaround for these vulnerabilities. Updating to version 4.16.12 is the only recommended solution. Consider temporarily disabling the ProfilePress plugin if immediate patching is impossible.

What is the difference between CVSS and EPSS?

CVSS is a standardized measure of vulnerability severity, while EPSS estimates the percentage of systems potentially exposed. Both metrics help assess the overall risk.

NEXTGUARD

Back to blog

CVSS 7.1CVE-2026-3309CVE-2026-3445

WordPress ProfilePress Vulnerabilities: Arbitrary Shortcode Execution & Payment Bypass

Critical vulnerabilities in WordPress' ProfilePress plugin allow unauthenticated shortcode execution and membership payment bypass. Patch to v4.16.12 immediately to mitigate these risks.

Published on April 6, 2026

Two critical vulnerabilities have been identified in the ProfilePress plugin for WordPress, a popular tool for user registration, membership management, and profile customization. These vulnerabilities allow for arbitrary shortcode execution and unauthorized membership payment bypass. A patch, version 4.16.12, is now available to address these issues.

These vulnerabilities are rated with CVSS scores of 6.5 and 7.1, indicating significant potential impact and exploitability.

What is ProfilePress?

ProfilePress is a WordPress plugin designed to enhance user management and membership functionality. It provides tools for creating custom registration forms, login pages, user profiles, and restricting content based on membership levels. It’s widely used by websites offering paid memberships or gated content. search all wp-user-avatar CVEs.

Arbitrary Shortcode Execution via Checkout Billing Fields

CVSS6.5

Affected versionsAll versions of ProfilePress up to and including 4.16.11 are affected. This vulnerability affects any WordPress site using the plugin.

Medium severity - potential for remote code execution.

An estimated 2.9% of WordPress sites are potentially vulnerable.

This vulnerability stems from insufficient sanitization of user-supplied billing field values during the checkout process. Attackers can inject malicious shortcodes into these fields, which are then executed without proper validation, leading to arbitrary code execution.

How to fix CVE-2026-3309 in ProfilePress

Patch immediately

1.Update ProfilePress to version 4.16.12 or later.

Update via WP-CLI

wp plugin update profilepress

Verify with:

verify

wp plugin status profilepress

NextGuard automatically flags CVE-2026-3309 if ProfilePress appears in any of your monitored projects — no manual lookup required.

Missing Authorization to Authenticated (Subscriber+) Membership Payment Bypass

CVSS7.1

Affected versionsAll versions of ProfilePress up to and including 4.16.11 are affected. This vulnerability requires an authenticated user with subscriber access or higher.

High severity - potential for unauthorized access to paid content.

An estimated 2.5% of WordPress sites are potentially vulnerable.

This vulnerability allows authenticated attackers with subscriber-level access or higher to bypass membership payment requirements. A missing ownership verification in the `change_plan_sub_id` parameter allows manipulation of proration calculations, enabling attackers to obtain paid membership plans without payment.

How to fix CVE-2026-3445 in ProfilePress

Patch immediately

1.Update ProfilePress to version 4.16.12 or later.

Update via WP-CLI

wp plugin update profilepress

Verify with:

verify

wp plugin status profilepress

NextGuard automatically flags CVE-2026-3445 if ProfilePress appears in any of your monitored projects — no manual lookup required.

Stay ahead of WordPress vulnerabilities

Proactively identify and address security risks in your WordPress ecosystem. monitor your wordpress dependencies to ensure your sites remain protected.

Compare Your Dependencies

Frequently asked questions

The vulnerabilities in ProfilePress highlight the importance of regularly updating WordPress plugins to mitigate security risks. Ensure you apply the patch to version 4.16.12 promptly. see all wordpress vulnerabilities.