PHP Object Injection Vulnerability in Profile Builder Pro Plugin for WordPress
CVE-2026-7647

8.1HIGH

Key Information:

Vendor: WordPress
Status: Profile Builder Pro
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-7647?

The Profile Builder Pro plugin for WordPress contains a significant vulnerability that allows unauthenticated users to exploit PHP Object Injection. This occurs due to the improper handling of the 'args' POST parameter in the wppb_request_users_pins_action_callback() AJAX handler, which utilizes the maybe_unserialize() function without adequate nonce verification, type checking, or input validation. As a result, an attacker can inject arbitrary PHP objects into the application's memory, creating severe security risks for affected WordPress installations.

Affected Version(s)

Profile Builder Pro 0 <= 3.14.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/profile-builde...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
May 1, 2026

Credit

Mattia Brollo

CVE-2026-7647 Data

JSON