CVE-2026-13352

ProfilePress · Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content

The ProfilePress plugin for WordPress contains an arbitrary file upload vulnerability that permits authenticated users with low-level access to execute malicious code on the server.

Executive summary

The ProfilePress plugin for WordPress is vulnerable to arbitrary file uploads, which could allow an authenticated attacker to execute malicious code on the host server.

Vulnerability

This is an unrestricted file upload vulnerability (CWE-434) located within the plugin's upload handling logic. An attacker with low-level authenticated access can bypass security controls to upload and potentially execute arbitrary files.

Business impact

Successful exploitation of this flaw allows an attacker to achieve remote code execution on the underlying WordPress server. This leads to full site compromise, potential data exfiltration of user databases, and unauthorized modification of site content, which carries a high risk of reputational and operational damage. The CVSS score of 8.8 reflects the high severity of this critical access control failure.

Remediation

Immediate Action: Update the ProfilePress plugin to the latest available version that includes the patch for this vulnerability.

Proactive Monitoring: Monitor server access logs for unusual file creation events or requests to non-standard PHP files in the upload directories.

Compensating Controls: Deploy a Web Application Firewall (WAF) to block suspicious file upload attempts and restrict access to administrative or sensitive plugin functions.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the high CVSS score and the potential for total system compromise, administrators must prioritize updating the ProfilePress plugin immediately. Ensure that all plugin dependencies are also verified during the update process to maintain a secure environment.