Skip to main content

Profile Builder Pro EUVDEUVD-2026-37608

| CVE-2026-42385 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable plugin form, no auth to inject, but execution needs an admin to view the payload (UI:R); scope changes into the admin session with limited C/I/A impact typical of XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:10 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the Cozmoslabs Profile Builder Pro WordPress plugin (versions 3.15.0 and earlier) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw carries a CVSS 3.1 score of 7.1 with scope change, meaning the injected script can affect resources beyond the vulnerable component (typically the WordPress admin session). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Profile Builder Pro is a commercial WordPress plugin from Cozmoslabs (CPE cpe:2.3:a:cozmoslabs:profile_builder_pro) used to build front-end user registration, login, and profile-edit forms on WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning attacker-supplied input - likely submitted through one of the plugin's public-facing profile or registration form fields - is rendered back into HTML without sufficient encoding or sanitization, allowing arbitrary <script> or event-handler payloads to execute in the rendering browser context. The scope:changed CVSS metric is consistent with XSS in a plugin context where the injected script crosses the trust boundary into an authenticated administrator's session.

RemediationAI

Patch available per vendor advisory - upgrade Profile Builder Pro to the version released after 3.15.0 as published by Cozmoslabs and tracked in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/profile-builder-pro/vulnerability/wordpress-profile-builder-pro-plugin-3-15-0-cross-site-scripting-xss-vulnerability); the exact fixed version is not stated in the provided intelligence, so verify against the plugin changelog before deployment. As compensating controls until patching, disable public user registration in the plugin settings (trade-off: blocks legitimate signups), restrict access to plugin-rendered profile and registration pages with a WAF rule that strips <script>, on* event handlers, and javascript: URIs from submitted form fields (trade-off: may break rich-text profile fields), and enforce a strict Content-Security-Policy that forbids inline script execution on admin pages (trade-off: can break other plugins that rely on inline scripts).

Share

EUVD-2026-37608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy