Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile Builder Plugin

WordFence - 

On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to craft a request that contains malicious JavaScript. If the attacker is able to trick a site administrator or user into performing an action, the malicious JavaScript executes, making it possible for the attacker to create new admin users, redirect victims, or engage in other harmful attacks.

All Wordfence users, including users of our Free, Premium, Care, and Response products are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting (XSS) protection.

We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Profile Builder – User Profile & User Registration Forms”, which is version 3.6.5 at the time of this publication.


Read More: