Skip to main content

Paid Membership Plugin Ecommerce User Registration Form Login Form User Profile Restrict Content Profilepress CVE-2026-13352

| EUVDEUVD-2026-45134 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-07-17 Wordfence GHSA-6x2r-8q58-rj53
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (Wordfence) · only source for this CVE.

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 05:16 vuln.today
CVE Published
Jul 17, 2026 - 03:43 cve.org
HIGH 8.8

DescriptionCVE.org

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowed_mime_types function. This is due to the unconditional registration of an upload_mimes filter that adds executable file extensions (.exe, .apk, .msi) to the global WordPress MIME allowlist, without scoping the expansion to digital-product upload contexts. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible. This filter is registered globally on every request regardless of whether the digital products feature is configured or in use, meaning the expanded MIME allowlist affects all WordPress upload contexts site-wide.

AnalysisAI

Remote code execution is possible in the ProfilePress WordPress plugin (Paid Membership, Ecommerce, User Registration) in all versions through 4.16.18, where the DigitalProducts UploadHandler unconditionally registers an upload_mimes filter that whitelists executable extensions (.exe, .apk, .msi) across every WordPress upload context site-wide. Authenticated attackers with author-level access or above (per CVSS PR:L) can leverage this expanded MIME allowlist to upload executable files, leading to code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: audit all WordPress installations using ProfilePress to identify affected versions (4.16.18 and below) and document which users have author or administrator roles with upload capabilities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy