Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable plugin form, no auth to inject, but execution needs an admin to view the payload (UI:R); scope changes into the admin session with limited C/I/A impact typical of XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions.
AnalysisAI
Unauthenticated reflected/stored cross-site scripting in the Cozmoslabs Profile Builder Pro WordPress plugin (versions 3.15.0 and earlier) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw carries a CVSS 3.1 score of 7.1 with scope change, meaning the injected script can affect resources beyond the vulnerable component (typically the WordPress admin session). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Profile Builder Pro is a commercial WordPress plugin from Cozmoslabs (CPE cpe:2.3:a:cozmoslabs:profile_builder_pro) used to build front-end user registration, login, and profile-edit forms on WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning attacker-supplied input - likely submitted through one of the plugin's public-facing profile or registration form fields - is rendered back into HTML without sufficient encoding or sanitization, allowing arbitrary <script> or event-handler payloads to execute in the rendering browser context. The scope:changed CVSS metric is consistent with XSS in a plugin context where the injected script crosses the trust boundary into an authenticated administrator's session.
RemediationAI
Patch available per vendor advisory - upgrade Profile Builder Pro to the version released after 3.15.0 as published by Cozmoslabs and tracked in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/profile-builder-pro/vulnerability/wordpress-profile-builder-pro-plugin-3-15-0-cross-site-scripting-xss-vulnerability); the exact fixed version is not stated in the provided intelligence, so verify against the plugin changelog before deployment. As compensating controls until patching, disable public user registration in the plugin settings (trade-off: blocks legitimate signups), restrict access to plugin-rendered profile and registration pages with a WAF rule that strips <script>, on* event handlers, and javascript: URIs from submitted form fields (trade-off: may break rich-text profile fields), and enforce a strict Content-Security-Policy that forbids inline script execution on admin pages (trade-off: can break other plugins that rely on inline scripts).
More in Profile Builder Pro
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37608