WordPress Profile Builder Pro Plugin <= 3.10.0 is vulnerable to Cross Site Scripting (XSS)
CVE-2024-22142

7.1HIGH

Key Information:

Vendor: WordPress
Status: Profile Builder Pro
Vendor: CVE Published:; 13 January 2024

Summary

A reflected cross-site scripting (XSS) vulnerability exists in Cozmoslabs Profile Builder Pro, specifically affecting versions from n/a to 3.10.0. This vulnerability arises from improper neutralization of user input during web page generation, allowing an attacker to inject malicious scripts. When a crafted link is clicked by a user, the malicious script can execute in the context of the user's browser, potentially leading to unauthorized actions and data exposure. It is crucial for users of Profile Builder Pro to review their configurations and apply recommended patches or updates to mitigate these risks.

Affected Version(s)

Profile Builder Pro <= 3.10.0

References

https://patchstack.com/database/vulnerability/profile-bui...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 13, 2024
Vulnerability Reserved
Jan 5, 2024

Credit

Dave Jong (Patchstack)