Profile Builder Pro
Monthly
Unauthenticated reflected/stored cross-site scripting in the Cozmoslabs Profile Builder Pro WordPress plugin (versions 3.15.0 and earlier) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw carries a CVSS 3.1 score of 7.1 with scope change, meaning the injected script can affect resources beyond the vulnerable component (typically the WordPress admin session). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Blind SQL injection in Profile Builder Pro WordPress plugin versions up to 3.13.9 allows remote unauthenticated attackers to extract database contents and cause service degradation. The vulnerability exploits improper input sanitization in SQL queries, enabling attackers to manipulate database commands without authentication. CVSS score of 9.3 (Critical) reflects network-accessible attack surface with no authentication barrier, though EPSS score of 0.03% (8th percentile) indicates minimal observed exploitation attempts. Patchstack database confirms vulnerability details; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.
Unauthenticated reflected/stored cross-site scripting in the Cozmoslabs Profile Builder Pro WordPress plugin (versions 3.15.0 and earlier) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw carries a CVSS 3.1 score of 7.1 with scope change, meaning the injected script can affect resources beyond the vulnerable component (typically the WordPress admin session). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Blind SQL injection in Profile Builder Pro WordPress plugin versions up to 3.13.9 allows remote unauthenticated attackers to extract database contents and cause service degradation. The vulnerability exploits improper input sanitization in SQL queries, enabling attackers to manipulate database commands without authentication. CVSS score of 9.3 (Critical) reflects network-accessible attack surface with no authentication barrier, though EPSS score of 0.03% (8th percentile) indicates minimal observed exploitation attempts. Patchstack database confirms vulnerability details; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.