Skip to main content

Profile Builder Pro CVE-2026-27413

| EUVDEUVD-2026-13057 CRITICAL
SQL Injection (CWE-89)
2026-03-19 Patchstack
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 28, 2026 - 19:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 19, 2026 - 06:00 euvd
EUVD-2026-13057
Analysis Generated
Mar 19, 2026 - 06:00 vuln.today
CVE Published
Mar 19, 2026 - 05:28 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through 3.13.9.

AnalysisAI

Blind SQL injection in Profile Builder Pro WordPress plugin versions up to 3.13.9 allows remote unauthenticated attackers to extract database contents and cause service degradation. The vulnerability exploits improper input sanitization in SQL queries, enabling attackers to manipulate database commands without authentication. CVSS score of 9.3 (Critical) reflects network-accessible attack surface with no authentication barrier, though EPSS score of 0.03% (8th percentile) indicates minimal observed exploitation attempts. Patchstack database confirms vulnerability details; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-89 (SQL Injection) in the Profile Builder Pro WordPress plugin developed by Cozmoslabs. The affected component fails to properly sanitize user-supplied input before incorporating it into SQL queries, creating a classic injection point. As a blind SQL injection variant, attackers cannot directly view query results but can infer database contents through boolean-based or time-based techniques by observing application responses or timing differences. The CPE identifier (cpe:2.3:a:cozmoslabs:profile_builder_pro) confirms this affects the commercial premium version of the plugin used for customizing WordPress user profiles and registration forms. WordPress plugins frequently interact with database tables to store custom user metadata, and insufficient parameterized query usage or sanitization in these operations creates SQL injection vectors.

RemediationAI

Upgrade Profile Builder Pro to version 3.13.10 or later, which contains fixes for the SQL injection vulnerability according to standard WordPress plugin versioning convention (patch typically released as next minor version after disclosed vulnerable version). Access the Cozmoslabs customer portal or WordPress plugin update mechanism to obtain the patched release. Patchstack advisory at https://patchstack.com/database/wordpress/plugin/profile-builder-pro/vulnerability/wordpress-profile-builder-pro-plugin-3-13-9-sql-injection-vulnerability should be consulted for vendor-specific remediation guidance. If immediate patching is not feasible, implement compensating controls: deploy web application firewall (WAF) rules targeting SQL injection patterns in POST/GET parameters processed by Profile Builder Pro endpoints (trade-off: potential false positives blocking legitimate profile updates containing SQL-like syntax); restrict wp-admin and plugin endpoints to authenticated administrator IP ranges via .htaccess or server configuration (trade-off: breaks public user registration functionality); temporarily disable Profile Builder Pro plugin and revert to WordPress core registration until patching completes (trade-off: loss of custom profile field functionality and user experience degradation).

Share

CVE-2026-27413 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy