WordPress Profile Builder plugin <= 3.6.0 - Cross-Site Request Forgery (CSRF) vulnerability
CVE-2021-36915

4.2MEDIUM

Key Information:

Vendor: Wordpress
Status: Profile Builder – User Profile & User Registration Forms (WordPress Plugin)
Vendor: CVE Published:; 11 October 2022

Summary

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.

Affected Version(s)

Profile Builder – User Profile & User Registration Forms (WordPress plugin) <= 3.6.0 <= 3.6.0

References

https://patchstack.com/database/vulnerability/profile-bui...

https://wordpress.org/plugins/profile-builder/#developers

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 11, 2022
Vulnerability Reserved
Jul 19, 2021

Credit

Vulnerability discovered by John Castro aka mirphak (Patchstack Alliance)