Profile Builder – User Profile & User Registration Forms <= 3.6.1 Reflected Cross-Site Scripting
CVE-2022-0653

6.1MEDIUM

Key Information:

Vendor

WordPress
Status
Profile Builder – User Profile & User Registration Forms
Vendor
CVE Published:
24 February 2022

What is CVE-2022-0653?

The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Profile Builder – User Profile & User Registration Forms 3.6.1

References

https://www.wordfence.com/blog/2022/02/reflected-cross-si...
x_refsource_MISC
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...
x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chloe Chamberland, Wordfence
JSON
.