CVE-2025-13642 is a code injection vulnerability classified under CWE-94 affecting the ProfilePress WordPress plugin, specifically the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content components. The vulnerability exists due to insufficient sanitization of the 'type' parameter in the form preview functionality accessible via the pp_preview_form endpoint. This flaw allows authenticated attackers with Subscriber-level privileges or higher to inject and execute arbitrary WordPress shortcodes. Shortcodes in WordPress can execute PHP code or trigger plugin functionality, so arbitrary shortcode execution can lead to unauthorized actions such as data leakage, privilege escalation, or manipulation of site content. The vulnerability affects all versions up to and including 4.16.7 of the plugin. The attack vector is remote network-based (AV:N), requires low attack complexity (AC:L), low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U), and the impact affects confidentiality and integrity to a limited extent (C:L/I:L) but not availability (A:N). The CVSS v3.1 base score is 5.4, indicating medium severity. No patches or known exploits are currently publicly available, but the vulnerability is published and should be addressed promptly to prevent exploitation.

The vulnerability allows authenticated users with minimal privileges (Subscriber-level) to execute arbitrary shortcodes, which can lead to unauthorized disclosure of sensitive information (confidentiality impact) and unauthorized modification of site content or user data (integrity impact). While it does not directly impact system availability, the ability to execute arbitrary shortcodes can be leveraged to escalate privileges or pivot to further attacks within the WordPress environment. For organizations relying on the ProfilePress plugin for membership management, ecommerce, or user registration, this could result in data breaches, defacement, or unauthorized access to restricted content. The medium severity rating reflects the moderate risk posed by the vulnerability, especially in environments with many low-privileged users. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once details are public. Organizations with high-value or sensitive user data are particularly at risk.

1. Immediately update the ProfilePress plugin to a version that addresses this vulnerability once available. Monitor vendor announcements for patches. 2. If a patch is not yet available, restrict access to the pp_preview_form endpoint by implementing web application firewall (WAF) rules that block or limit access to authenticated users with higher privileges only. 3. Harden WordPress user roles by minimizing the number of users with Subscriber or higher privileges and reviewing user permissions regularly. 4. Employ input validation and sanitization plugins or custom code to filter shortcode inputs where possible. 5. Monitor logs for unusual shortcode execution or access patterns to the form preview functionality. 6. Consider disabling or limiting the use of shortcodes in user-submitted content or forms if feasible. 7. Conduct regular security audits and vulnerability scans to detect exploitation attempts. 8. Educate site administrators about the risks of low-privileged user capabilities and the importance of timely updates.