VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 41 known issues Latest disclosed Apr 03, 2026

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress Vulnerabilities

Review known vulnerability records for the WordPress plugin Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress (`wp-user-avatar`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
41
High or Critical
10
Linked CVEs
39
Last Updated
Apr 04, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
41 records include a published patch path.
Severity Mix
4 critical and 6 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-3309
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-sup...

Published
Apr 03, 2026
Patched Release
4.16.12
Affected Versions
Versions up to 4.16.11
Next Step
Update to 4.16.12 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-3445
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Missing Authorization to Authenticated (Subscriber+) Membership Payment Bypass

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to unauthorized membership payment bypass in all versions up to, and including, 4.16.11. This is due to a missing ownership...

Published
Apr 03, 2026
Patched Release
4.16.12
Affected Versions
Versions up to 4.16.11
Next Step
Update to 4.16.12 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-3453
ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration

The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout A...

Published
Mar 10, 2026
Patched Release
4.16.12
Affected Versions
Versions up to 4.16.11
Next Step
Update to 4.16.12 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-13642
ProfilePress <= 4.16.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the...

Published
Dec 08, 2025
Patched Release
4.16.8
Affected Versions
Versions up to 4.16.7
Next Step
Update to 4.16.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-8878
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.4 - Unauthenticated Arbitrary Shortcode Execution

The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.4. This is due to the software allowing use...

Published
Aug 15, 2025
Patched Release
4.16.5
Affected Versions
Versions up to 4.16.4
Next Step
Update to 4.16.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13119
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.15.19 - Authenticated (Admin+) Stored Cross-Site Scripting

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.19 due to insufficient input s...

Published
Jan 23, 2025
Patched Release
4.15.20
Affected Versions
Versions up to 4.15.19
Next Step
Update to 4.15.20 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13120
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.15.19 - Authenticated (Admin+) Stored Cross-Site Scripting

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.19 due to insufficient input s...

Published
Jan 23, 2025
Patched Release
4.15.20
Affected Versions
Versions up to 4.15.19
Next Step
Update to 4.15.20 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-13121
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.15.19 - Authenticated (Admin+) Stored Cross-Site Scripting

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.19 due to insufficient input s...

Published
Jan 23, 2025
Patched Release
4.15.20
Affected Versions
Versions up to 4.15.19
Next Step
Update to 4.15.20 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-11083
ProfilePress <= 4.15.18 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

The ProfilePress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.15.18 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been rest...

Published
Nov 26, 2024
Patched Release
4.15.19
Affected Versions
Versions up to 4.15.18
Next Step
Update to 4.15.19 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10517
ProfilePress <= 4.15.14 - Authenticated (Admin+) Stored Cross-Site Scripting via "Labels"

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via "Label" settings in all versions up to, and including, 4.15.14 due to insufficient input...

Published
Nov 21, 2024
Patched Release
4.15.15
Affected Versions
Versions up to 4.15.14
Next Step
Update to 4.15.15 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-10518
ProfilePress <= 4.15.14 - Authenticated (Admin+) Stored Cross-Site Scripting via "Product Files"

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via "Product Files" settings in all versions up to, and including, 4.15.14 due to insufficie...

Published
Nov 21, 2024
Patched Release
4.15.15
Affected Versions
Versions up to 4.15.14
Next Step
Update to 4.15.15 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-2861
ProfilePress <= 4.15.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via ProfilePress User Panel Widget

The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ProfilePress User Panel widget in all versions up to, and including, 4.15.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

Published
May 22, 2024
Patched Release
4.15.9
Affected Versions
Versions up to 4.15.8
Next Step
Update to 4.15.9 or newer if supported.
Open Full Report Open CVE Reference