Medium severity6.5NVD Advisory· Published Apr 4, 2026· Updated Apr 24, 2026

CVE-2026-3309

Description

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing field values from the checkout process to be interpolated into shortcode template strings that are subsequently processed without proper sanitization of shortcode syntax. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes by submitting crafted billing field values during the checkout process.

Affected products

WordPress/Wp User Avatarinferred
Range: <=4.16.11
Package: https://wordpress.org/plugins/wp-user-avatar
Properfraction/Profilepressllm-fuzzy
Range: <=4.16.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)
Wordfence Blog · Apr 9, 2026

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000