User Profile Builder < 3.11.8 - File Upload

The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP. id: CVE-2024-6366 info: name: User Profile Builder 3.11.8 - File Upload author: s4e-io severity: high...

Profile Builder < 3.4.9 - Improper Authentication

The Profile Builder plugin before 3.4.9 for WordPress allows unauthenticated attackers to gain administrative access by exploiting an improper authentication vulnerability in the password reset functionality. An attacker can reset the password of any user, including administrators, without proper...

EUVD-2026-37608

Unauthenticated Cross Site Scripting XSS in Profile Builder Pro = 3.15.0 versions...

CVE-2026-42385

Unauthenticated Cross Site Scripting XSS in Profile Builder Pro = 3.15.0 versions...

CVE-2026-42385 WordPress Profile Builder Pro plugin <= 3.15.0 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Profile Builder Pro = 3.15.0 versions...

CVE-2026-42385

The CVE concerns WordPress Profile Builder Pro plugin, versions ≤ 3.15.0, with an Unauthenticated Cross Site Scripting (XSS) vulnerability. The issue affects the plugin’s handling of input in a way that allows an attacker without authentication to inject script resulting in client-side execution....

PT-2026-47074

Name of the Vulnerable Software and Affected Versions WP User Manager – User Profile Builder & Membership versions prior to 2.9.18 Description The plugin is susceptible to Local File Inclusion, a condition where an application includes files on a local server unexpectedly. This occurs through the...

WordPress Profile Builder Pro plugin <= 3.14.5 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by 0xbro in WordPress Plugin Profile Builder Pro versions = 3.14.5...

CVE-2026-7647

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

CVE-2026-7647

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

CVE-2026-7647 Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

EUVD-2026-26750

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

CVE-2026-7647 Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

CVE-2026-7647

Profile Builder Pro for WordPress (versions up to 3.14.5) is vulnerable to PHP Object Injection due to maybe_unserialize() on the attacker-controlled 'args' parameter in wppb_request_users_pins_action_callback(). The AJAX handler is registered for both authenticated and unauthenticated requests (...

CVE-2026-7647

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

PT-2026-36582

Name of the Vulnerable Software and Affected Versions Profile Builder Pro versions prior to 3.14.6 Description The Profile Builder Pro plugin for WordPress is susceptible to PHP Object Injection. This occurs because the wppb request users pins action callback AJAX handler uses the maybe unseriali...

WordPress plugin Profile Builder Pro 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

WordPress Profile Builder Pro plugin <= 3.15.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Profile Builder Pro versions = 3.15.0...

Exploit for CVE-2025-15030

CVE-2025-15030 User Profile Builder 3.15.2 - Unauthentica...

CVE-2026-3139

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppbsaveavatarvalue function due to missing validation on a user controlled key...