Profile Builder

Source repositories

https://plugins.svn.wordpress.org/profile-builder/

CVEs (4)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-4671	WordPress Profile Builder	Med	0.42	6.4	0.00	Jun 3, 2025	The Profile Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's user_meta and compare shortcodes in all versions up to, and including, 3.13.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-12738	WordPress Profile Builder	Med	0.40	6.1	0.02	Jan 7, 2025	The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several user meta parameters in all versions up to, and including, 3.12.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks a link to show user meta.
CVE-2024-31341	WordPress Profile Builder	Med	0.34	5.3	0.00	May 17, 2024	Insufficient Verification of Data Authenticity vulnerability in Cozmoslabs Profile Builder allows Functionality Bypass.This issue affects Profile Builder: from n/a through 3.11.2.
CVE-2025-49292	WordPress Profile Builder	Med	0.28	4.3	0.00	Jun 6, 2025	Improper Validation of Specified Quantity in Input vulnerability in Cozmoslabs Profile Builder profile-builder allows Phishing.This issue affects Profile Builder: from n/a through <= 3.13.8.

CVE-2025-4671MedJun 3, 2025
WordPress
Profile Builder
risk 0.42cvss 6.4epss 0.00
The Profile Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's user_meta and compare shortcodes in all versions up to, and including, 3.13.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-12738MedJan 7, 2025
WordPress
Profile Builder
risk 0.40cvss 6.1epss 0.02
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several user meta parameters in all versions up to, and including, 3.12.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks a link to show user meta.
CVE-2024-31341MedMay 17, 2024
WordPress
Profile Builder
risk 0.34cvss 5.3epss 0.00
Insufficient Verification of Data Authenticity vulnerability in Cozmoslabs Profile Builder allows Functionality Bypass.This issue affects Profile Builder: from n/a through 3.11.2.
CVE-2025-49292MedJun 6, 2025
WordPress
Profile Builder
risk 0.28cvss 4.3epss 0.00
Improper Validation of Specified Quantity in Input vulnerability in Cozmoslabs Profile Builder profile-builder allows Phishing.This issue affects Profile Builder: from n/a through <= 3.13.8.