PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13352 properfraction CVE debrief

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress has an Arbitrary File Upload vulnerability in all versions up to, and including, 4.16.18. This is due to an unconditional registration of an upload_mimes filter that adds executable file extensions to the global WordPress MIME allowlist without scoping it to digital-product upload contexts. Authenticated attackers with author-level access and above can upload potentially executable files, enabling remote code execution.

Vendor
properfraction
Product
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Administrators and users of WordPress sites with the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin installed should be aware of this vulnerability and take immediate action to protect their sites.

Technical summary

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload. The vulnerability exists due to the unconditional registration of an upload_mimes filter that adds executable file extensions (.exe, .apk, .msi) to the global WordPress MIME allowlist, without scoping the expansion to digital-product upload contexts. This allows authenticated attackers, with author-level access and above, to upload files that may be executable, which can lead to remote code execution.

Defensive priority

High

Recommended defensive actions

  • Update the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin to the latest version.
  • Restrict file uploads to only necessary users and contexts.
  • Monitor for suspicious file uploads and system changes.
  • Implement additional security measures such as Web Application Firewalls (WAFs) and intrusion detection systems.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-17T05:16:36.730Z and has not been modified since then. The NVD entry is currently Received. There is no additional information available about the vulnerability beyond what is provided in the CVE record and NVD entry. Defenders should verify the affected scope and severity based on the official advisory or CVE record.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T05:16:36.730Z and has not been modified since then. The NVD entry is currently Received.