Profile Builder – User Profile & User Registration Forms <= 3.6.1 Reflected Cross-Site Scripting
CVE-2022-0653

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Profile Builder – User Profile & User Registration Forms
Vendor: CVE Published:; 24 February 2022

What is CVE-2022-0653?

The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.

Affected Version(s)

Profile Builder – User Profile & User Registration Forms 3.6.1

References

https://www.wordfence.com/blog/2022/02/reflected-cross-si...

x_refsource_MISC

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

x_refsource_MISC

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2022
Vulnerability Reserved
Feb 16, 2022

Credit

Chloe Chamberland, Wordfence

JSON