CVE-2025-8878 Information
Description
The The Paid Membership Plugin Ecommerce User Registration Form Login Form User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to and including 4.16.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Reference
https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/RegistrationAuth.php#L131 https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L318 https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L329 https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L339 https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/ShortcodeParser/Builder/FrontendProfileBuilder.php#L385 https://plugins.trac.wordpress.org/changeset/3345295/ https://www.wordfence.com/threat-intel/vulnerabilities/id/9309b8bf-f581-4a56-a1ed-3941ebb36127?source=cve
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
6.5
Related CNNVD
CNNVD-202508-1975 (Published: 2025-08-16)
Share on: