PatchSiren cyber security CVE debrief
CVE-2026-13352 properfraction CVE debrief
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress has an Arbitrary File Upload vulnerability in all versions up to, and including, 4.16.18. This is due to an unconditional registration of an upload_mimes filter that adds executable file extensions to the global WordPress MIME allowlist without scoping it to digital-product upload contexts. Authenticated attackers with author-level access and above can upload potentially executable files, enabling remote code execution.
- Vendor
- properfraction
- Product
- Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Administrators and users of WordPress sites with the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin installed should be aware of this vulnerability and take immediate action to protect their sites.
Technical summary
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload. The vulnerability exists due to the unconditional registration of an upload_mimes filter that adds executable file extensions (.exe, .apk, .msi) to the global WordPress MIME allowlist, without scoping the expansion to digital-product upload contexts. This allows authenticated attackers, with author-level access and above, to upload files that may be executable, which can lead to remote code execution.
Defensive priority
High
Recommended defensive actions
- Update the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin to the latest version.
- Restrict file uploads to only necessary users and contexts.
- Monitor for suspicious file uploads and system changes.
- Implement additional security measures such as Web Application Firewalls (WAFs) and intrusion detection systems.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-17T05:16:36.730Z and has not been modified since then. The NVD entry is currently Received. There is no additional information available about the vulnerability beyond what is provided in the CVE record and NVD entry. Defenders should verify the affected scope and severity based on the official advisory or CVE record.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T05:16:36.730Z and has not been modified since then. The NVD entry is currently Received.