The vulnerability identified as CVE-2026-3309 involves improper control of code generation (CWE-94) in the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress WordPress plugin. Specifically, the plugin allows user-supplied billing field values from the checkout process to be directly interpolated into shortcode template strings. These shortcodes are then processed without adequate sanitization of the shortcode syntax, enabling unauthenticated attackers to inject and execute arbitrary shortcodes. This flaw exists in all versions up to and including 4.16.11. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity. No official fix or patch has been documented as of the published date.

An unauthenticated attacker can exploit this vulnerability to execute arbitrary shortcodes within the affected WordPress plugin context. This can lead to partial compromise of data confidentiality and integrity. There is no indication of availability impact. No known exploits in the wild have been reported. The vulnerability could potentially allow attackers to manipulate plugin behavior or access sensitive information through shortcode execution.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting access to the affected plugin features that process billing field values or implement custom input validation and sanitization to prevent shortcode injection. Monitor vendor channels for updates and apply patches promptly once available.