🔐 CVE Alert

CVE-2026-13352

HIGH 8.8

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content <= 4.16.18 - Authenticated (Author+) Limited Unsafe File Upload via upload_mimes Filter Expansion

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowed_mime_types function. This is due to the unconditional registration of an upload_mimes filter that adds executable file extensions (.exe, .apk, .msi) to the global WordPress MIME allowlist, without scoping the expansion to digital-product upload contexts. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible. This filter is registered globally on every request regardless of whether the digital products feature is configured or in use, meaning the expanded MIME allowlist affects all WordPress upload contexts site-wide.

CWE CWE-434
Vendor properfraction
Product paid membership plugin, ecommerce, user registration form, login form, user profile & restrict content – profilepress
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for properfraction paid membership plugin, ecommerce, user registration form, login form, user profile & restrict content – profilepress

Be the first to know when new high vulnerabilities affecting properfraction paid membership plugin, ecommerce, user registration form, login form, user profile & restrict content – profilepress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

properfraction / Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
0 ≤ 4.16.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/9bb520df-e838-4335-bd4f-97026082a204?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.18/src/Membership/DigitalProducts/UploadHandler.php#L49 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.18/src/Membership/DigitalProducts/UploadHandler.php#L18 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.18/src/Membership/DigitalProducts/Init.php#L9 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.14/src/Membership/DigitalProducts/UploadHandler.php#L49 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.14/src/Membership/DigitalProducts/UploadHandler.php#L18 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.14/src/Membership/DigitalProducts/Init.php#L9 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?reponame=&old=3599012%40wp-user-avatar&new=3599012%40wp-user-avatar

Credits

skyv3il Chirita Catalin-Andrei (CC99IE)