2020
19.02
WordPress plugin Profile Builder – critical vulnerability

Admins who use the plugin Profile Builder in the Free, Hobbyist or Pro version on WordPress websites should install the current version. Otherwise, attackers could gain full control over websites with comparatively little effort. The vulnerability classified as critical is given the highest rating (CVSS 3.0 score 10 out of 10). A CVE number has obviously not yet been assigned. Attacks can take place directly over the Internet and without authentication. The Profile Builder version 3.1.1 is secured. Wordfence has warned that all previous editions are under threat. So far, they say there have been no attacks. The plugin gives site visitors the opportunity to create and edit profiles. Due to the vulnerability, attackers could send input for fields that are actually not available. For example, if an admin creates a form without a field for assigning user rights to registered users, an attacker could create an admin account.

back