Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-04
CVE-2025-4671 - Profile Builder Plugin
The Profile Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's user_meta and compare shortcodes in all versions up to, and including, 3.13.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Profile Builder
CVE-2025-4671
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-6708 - Profile Builder Plugin
The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameters before outputting its content on the admin area, which allows Admin+ users to perform Cross-Site Scripting attacks.
PLUGIN
Profile Builder
CVE-2024-6708
Risk Score
Threat Entry
Updated 2025-04-16
CVE-2025-2314 - Profile Builder Plugin
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially patched in version 3.13.6 of the plugin, and fully…
PLUGIN
Profile Builder
CVE-2025-2314
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12738 - Profile Builder Plugin
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several user meta parameters in all versions up to, and including, 3.12.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks a link to show user meta.
PLUGIN
Profile Builder
CVE-2024-12738
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-6366 - Profile Builder Plugin
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
PLUGIN
Profile Builder
CVE-2024-6366
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-0324 - Profile Builder Plugin
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.
PLUGIN
Profile Builder
CVE-2024-0324
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6504 - Profile Builder Plugin
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_usermeta_handler function in all versions up to, and including, 3.10.7. This makes it possible for authenticated attackers, with contributor-level access and above, to expose sensitive information within user metadata.
PLUGIN
Profile Builder
CVE-2023-6504
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2023-4059 - Profile Builder Plugin
The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog
PLUGIN
Profile Builder
CVE-2023-4059
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2297 - Profile Builder Plugin
The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on…
PLUGIN
Profile Builder
CVE-2023-2297
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0814 - Profile Builder Plugin
The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the [user_meta] shortcode in versions up to, and including 3.9.0. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account. This does require the Usermeta shortcode be enabled to be exploited.
PLUGIN
Profile Builder
CVE-2023-0814
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-36915 - Profile Builder Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin
PLUGIN
Profile Builder
CVE-2021-36915
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0884 - Profile Builder Plugin
The Profile Builder WordPress plugin before 3.6.8 does not sanitise and escape Form Fields titles and description, which could allow high privilege user such as admin to perform Criss-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Profile Builder
CVE-2022-0884
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0653 - Profile Builder Plugin
The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.
PLUGIN
Profile Builder
CVE-2022-0653
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24527 - Profile Builder Plugin
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.
PLUGIN
Profile Builder
CVE-2021-24527
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24448 - Profile Builder Plugin
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
PLUGIN
Profile Builder
CVE-2021-24448
Risk Score