Description
The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.
Published: 2026-05-02
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Profile Builder Pro WordPress plugin, where the wppb_request_users_pins_action_callback() AJAX handler processes the 'args' POST parameter using PHP's maybe_unserialize() function without any nonce verification, type checking, or input validation. This lack of defenses allows an attacker to supply a serialized object payload that, when deserialized, can result in arbitrary PHP code execution within the application. The flaw is a classic example of CWE-502, deserialization of untrusted data.

Affected Systems

All installations of Cozmoslabs’ Profile Builder Pro plugin up to and including version 3.14.5 on WordPress are affected. Any WordPress site deploying these plugin versions without additional security hardening is susceptible to exploitation.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity problem. Although an EPSS score is not available, the vulnerability is reachable via unauthenticated AJAX requests, making it trivially exploitable by external actors. The flaw is not listed in CISA's KEV catalog, but the absence of authentication and the presence of object injection mean that remote code execution could be achieved with little to no effort once the target is known.

Generated by OpenCVE AI on May 2, 2026 at 10:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Profile Builder Pro plugin to a version newer than 3.14.5, which removes the vulnerable unserialize usage.
  • If an immediate upgrade is impossible, block unauthenticated access to the offending AJAX endpoint by adding a firewall or .htaccess rule that denies requests to wp_ajax_nopriv_ actions or by disabling the wppb_request_users_pins_action_callback() hook.
  • Implement a Web Application Firewall rule that detects and blocks PHP serialized string patterns in incoming requests, thereby reducing the risk of successful object injection.

Generated by OpenCVE AI on May 2, 2026 at 10:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.
Title Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T05:29:30.319Z

Reserved: 2026-05-01T17:10:21.145Z

Link: CVE-2026-7647

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T06:16:04.803

Modified: 2026-05-02T06:16:04.803

Link: CVE-2026-7647

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses