CVE-2026-13352
ProfilePress · Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content
The ProfilePress plugin for WordPress contains an arbitrary file upload vulnerability that permits authenticated users with low-level access to execute malicious code on the server.
Executive summary
The ProfilePress plugin for WordPress is vulnerable to arbitrary file uploads, which could allow an authenticated attacker to execute malicious code on the host server.
Vulnerability
This is an unrestricted file upload vulnerability (CWE-434) located within the plugin's upload handling logic. An attacker with low-level authenticated access can bypass security controls to upload and potentially execute arbitrary files.
Business impact
Successful exploitation of this flaw allows an attacker to achieve remote code execution on the underlying WordPress server. This leads to full site compromise, potential data exfiltration of user databases, and unauthorized modification of site content, which carries a high risk of reputational and operational damage. The CVSS score of 8.8 reflects the high severity of this critical access control failure.
Remediation
Immediate Action: Update the ProfilePress plugin to the latest available version that includes the patch for this vulnerability.
Proactive Monitoring: Monitor server access logs for unusual file creation events or requests to non-standard PHP files in the upload directories.
Compensating Controls: Deploy a Web Application Firewall (WAF) to block suspicious file upload attempts and restrict access to administrative or sensitive plugin functions.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the high CVSS score and the potential for total system compromise, administrators must prioritize updating the ProfilePress plugin immediately. Ensure that all plugin dependencies are also verified during the update process to maintain a secure environment.