cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forprofile-builder profile-builder

Direction: ascending
Jun 06, 2024

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor # CVE-2022-0884

CVE, Research URL

CVE-2022-0884

Home page URL

Security reports for User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Application

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Date
Apr 04, 2022
Research Description
The Profile Builder WordPress plugin before 3.6.8 does not sanitise and escape Form Fields titles and description, which could allow high privilege user such as admin to perform Criss-Site Scripting attacks even when unfiltered_html is disallowed
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor # CVE-2014-10380

CVE, Research URL

CVE-2014-10380

Home page URL

Security reports for User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Application

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Date
Aug 21, 2019
Research Description
The profile-builder plugin before 1.1.66 for WordPress has multiple XSS issues in forms.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor # CVE-2016-10911

CVE, Research URL

CVE-2016-10911

Home page URL

Security reports for User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Application

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Date
Aug 21, 2019
Research Description
The profile-builder plugin before 2.4.2 for WordPress has multiple XSS issues.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor # CVE-2015-9337

CVE, Research URL

CVE-2015-9337

Home page URL

Security reports for User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Application

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Date
Aug 22, 2019
Research Description
The profile-builder plugin before 2.1.4 for WordPress has no access control for activating or deactivating addons via AJAX.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor # CVE-2021-24448

CVE, Research URL

CVE-2021-24448

Home page URL

Security reports for User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Application

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Date
Aug 02, 2021
Research Description
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor # CVE-2022-0653

CVE, Research URL

CVE-2022-0653

Home page URL

Security reports for User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Application

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Date
Feb 25, 2022
Research Description
The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor # CVE-2021-36915

CVE, Research URL

CVE-2021-36915

Home page URL

Security reports for User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Application

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Date
Oct 12, 2022
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2015-9328

CVE, Research URL

CVE-2015-9328

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Aug 21, 2019
Research Description
The profile-builder plugin before 2.2.5 for WordPress has XSS.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2014-8492

CVE, Research URL

CVE-2014-8492

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Oct 06, 2017
Research Description
Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fallback-page.php in the Profile Builder plugin before 2.0.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) site_name, (2) message, or (3) site_url parameter.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2021-24527

CVE, Research URL

CVE-2021-24527

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Aug 16, 2021
Research Description
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2023-2297

CVE, Research URL

CVE-2023-2297

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Apr 27, 2023
Research Description
The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2023-0814

CVE, Research URL

CVE-2023-0814

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Feb 14, 2023
Research Description
The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the [user_meta] shortcode in versions up to, and including 3.9.0. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account. This does require the Usermeta shortcode be enabled to be exploited.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2023-4059

CVE, Research URL

CVE-2023-4059

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Sep 04, 2023
Research Description
The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2023-47669

CVE, Research URL

CVE-2023-47669

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Nov 13, 2023
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin <= 3.10.3 versions.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2023-6504

CVE, Research URL

CVE-2023-6504

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Jan 11, 2024
Research Description
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_usermeta_handler function in all versions up to, and including, 3.10.7. This makes it possible for authenticated attackers, with contributor-level access and above, to expose sensitive information within user metadata.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2024-0324

CVE, Research URL

CVE-2024-0324

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Feb 06, 2024
Research Description
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.
Affected versions
Min -, max -.
Status
vulnerable

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2024-31341

CVE, Research URL

CVE-2024-31341

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
May 17, 2024
Research Description
Insufficient Verification of Data Authenticity vulnerability in Cozmoslabs Profile Builder allows Functionality Bypass.This issue affects Profile Builder: from n/a through 3.11.2.
Affected versions
Min -, max -.
Status
vulnerable
Jul 25, 2024

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2024-6695

CVE, Research URL

CVE-2024-6695

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Jul 31, 2024
Research Description
it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is due to improper logic flow on the user registration process.
Affected versions
Min -, max -.
Status
vulnerable
Jul 30, 2024

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2024-6366

CVE, Research URL

CVE-2024-6366

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Jul 29, 2024
Research Description
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
Affected versions
Min -, max -.
Status
vulnerable
Jan 09, 2025

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2024-12738

CVE, Research URL

CVE-2024-12738

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Jan 07, 2025
Research Description
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several user meta parameters in all versions up to, and including, 3.12.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks a link to show user meta.
Affected versions
Min -, max -.
Status
vulnerable
Apr 17, 2025

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor # CVE-2025-2314

CVE, Research URL

CVE-2025-2314

Home page URL

Security reports for User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Application

User Profile Builder &#8211; Beautiful User Registration Forms, User Profiles &amp; User Role Editor

Date
Apr 16, 2025
Research Description
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially patched in version 3.13.6 of the plugin, and fully patched in 3.13.7.
Affected versions
Min -, max -.
Status
vulnerable