Skip to main content

Paid Membership Plugin Ecommerce User Registration Form Login Form User Profile Restrict Content Profilepress

1 CVEs product

Monthly

CVE-2026-13352 HIGH This Week

Remote code execution is possible in the ProfilePress WordPress plugin (Paid Membership, Ecommerce, User Registration) in all versions through 4.16.18, where the DigitalProducts UploadHandler unconditionally registers an upload_mimes filter that whitelists executable extensions (.exe, .apk, .msi) across every WordPress upload context site-wide. Authenticated attackers with author-level access or above (per CVSS PR:L) can leverage this expanded MIME allowlist to upload executable files, leading to code execution. There is no public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.

RCE WordPress File Upload Paid Membership Plugin Ecommerce User Registration Form Login Form User Profile Restrict Content Profilepress
NVD
CVSS 3.1
8.8
EPSS
0.6%
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution is possible in the ProfilePress WordPress plugin (Paid Membership, Ecommerce, User Registration) in all versions through 4.16.18, where the DigitalProducts UploadHandler unconditionally registers an upload_mimes filter that whitelists executable extensions (.exe, .apk, .msi) across every WordPress upload context site-wide. Authenticated attackers with author-level access or above (per CVSS PR:L) can leverage this expanded MIME allowlist to upload executable files, leading to code execution. There is no public exploit identified at time of analysis, and this CVE is not listed in CISA KEV.

RCE WordPress File Upload +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy