Skip to main content

Profile Builder Pro EUVD-2026-26750

| CVE-2026-7647 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-02 Wordfence
PHP WordPress Deserialization
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 02, 2026 - 06:32 vuln.today
EUVD ID Assigned
May 02, 2026 - 06:00 euvd
EUVD-2026-26750
Analysis Generated
May 02, 2026 - 06:00 vuln.today
CVE Published
May 02, 2026 - 05:29 nvd
HIGH 8.1

DescriptionNVD

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.

AnalysisAI

Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: disable or remove Profile Builder Pro plugin; audit WordPress for unauthorized access and suspicious code. Within 7 days: implement Web Application Firewall (WAF) rules blocking requests to wppb_request_users_pins_action_callback endpoint if plugin cannot be removed; review server logs for exploitation attempts. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-7862 HIGH POC
8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
CVE-2026-8760 CRITICAL
9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
CVE-2026-42727 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
CVE-2026-42761 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2026-8832 HIGH
8.8 May 27

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run

Share

EUVD-2026-26750 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy