Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro profile-builder-pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through < 3.14.0.
Published: 2026-03-19
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL Injection leading to data compromise
Action: Patch Immediately
AI Analysis

Impact

Improper neutralization of special elements in an SQL command allows the Profile Builder Pro plugin to be exploited via blind SQL injection. An attacker can manipulate input parameters to retrieve, modify, or delete data stored in the database, potentially exposing sensitive user information or enabling further compromise.

Affected Systems

All WordPress installations that use Cozmoslabs Profile Builder Pro version 3.13.9 or any earlier release are affected. The vulnerability applies to every instance of the plugin deployed before the 3.14.0 release.

Risk and Exploitability

The CVSS score of 9.3 marks this flaw as critical, and while the EPSS score indicates a low probability of exploitation currently (<1%), the potential impact remains high. The exploit is performed through web interfaces provided by the plugin, likely requiring access to plugin forms or endpoints. Once an injection is successful, the attacker can extract or alter data, and, depending on database privileges, may achieve further lateral movement. The vulnerability is not listed in the CISA KEV catalog, so no known widespread exploitation has been reported yet.

Generated by OpenCVE AI on April 3, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin version (at least 3.14.0).
  • If unable to update, disable or remove the Profile Builder Pro plugin from the site.
  • Verify database integrity and check for unauthorized data access.
  • Monitor web traffic and logs for signs of SQL injection attempts.

Generated by OpenCVE AI on April 3, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a before 3.14.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro profile-builder-pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through < 3.14.0.
References

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through 3.13.9. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a before 3.14.0.
Title WordPress Profile Builder Pro plugin <= 3.13.9 - SQL Injection vulnerability WordPress Profile Builder Pro plugin < 3.14.0 - SQL Injection vulnerability

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Cozmoslabs
Cozmoslabs profile Builder
Wordpress
Wordpress wordpress
Vendors & Products Cozmoslabs
Cozmoslabs profile Builder
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a through 3.13.9.
Title WordPress Profile Builder Pro plugin <= 3.13.9 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Cozmoslabs Profile Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:10.944Z

Reserved: 2026-02-19T09:52:22.262Z

Link: CVE-2026-27413

cve-icon Vulnrichment

Updated: 2026-03-19T14:09:52.409Z

cve-icon NVD

Status : Deferred

Published: 2026-03-19T06:16:25.600

Modified: 2026-04-23T15:37:21.897

Link: CVE-2026-27413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:18:16Z

Weaknesses