Profile Builder Pro PHP Object Injection Vulnerability
Vulnerability
A PHP Object Injection vulnerability has been identified in the Profile Builder Pro plugin for WordPress, affecting all versions up to and including 3.14.5. The issue arises from the wppb_request_users_pins_action_callback() AJAX handler, which processes the 'args' POST parameter using PHP's maybe_unserialize() function. This deserialization lacks proper nonce verification, type checking, and input validation, leaving it open to exploitation by unauthenticated users. The vulnerability allows attackers to inject arbitrary PHP objects into the application's memory.
Impact
Exploitation of this vulnerability could lead to arbitrary PHP object injection, allowing attackers to manipulate object-oriented features of the application, potentially leading to more severe consequences such as code execution or application-level attacks.
Remediation
Users are advised to update the Profile Builder Pro plugin to version 3.14.6 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.