cbcvebase.
CVE-2022-0653
published 2022-02-24

CVE-2022-0653: The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and…

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.70%
84.1th percentile
The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
cozmoslabsprofile_builder<= 3.6.1
cozmoslabsprofile_builder_user_profile_user_registration_forms3.6.1 – 3.6.1

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/profile-builder/assets/misc/fallback-page.php
url/wp-content/plugins/profile-builder/assets/misc/fallback-page.php?site_url=javascript:alert(document.domain);&message=Not+Found&site_name=404
  • Send a GET request to the vulnerable endpoint with a javascript: URI in the site_url parameter; a 200 response with 'here' in the body and Content-Type: text/html confirms exploitability.
  • Look for unsanitized reflection of the site_url parameter in the HTTP response body of fallback-page.php; the word 'here' appearing as a hyperlink anchor text indicates the payload is embedded.
  • The vulnerability is a reflected XSS in the ~/assets/misc/fallback-page.php file via the site_url parameter; monitor HTTP access logs for requests to this path containing javascript: or other XSS payloads in the site_url query parameter.
  • ·Vulnerability affects Profile Builder plugin versions up to and including 3.6.1 only; patched in version 3.6.5 or later.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.