CVE-2026-7647
published 2026-05-02CVE-2026-7647: The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's…
PriorityP350high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.46%
36.7th percentile
The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cozmoslabs | profile_builder_pro | <= 3.14.5 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9ppp-7g47-4h53: The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3
ghsa_unreviewed·2026-05-02
CVE-2026-7647 [HIGH] CWE-502 GHSA-9ppp-7g47-4h53: The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3
The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.
VulDB
Cozmoslabs Profile Builder Pro Plugin up to 3.14.5 on WordPress AJAX maybe_unserialize args deserialization
vuldb·2026-05-02·CVSS 8.1
CVE-2026-7647 [HIGH] Cozmoslabs Profile Builder Pro Plugin up to 3.14.5 on WordPress AJAX maybe_unserialize args deserialization
A vulnerability has been found in Cozmoslabs Profile Builder Pro Plugin up to 3.14.5 on WordPress and classified as problematic. Affected by this vulnerability is the function maybe_unserialize of the component AJAX Handler. This manipulation of the argument args causes deserialization.
This vulnerability is handled as CVE-2026-7647. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L271https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L271https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f988-4515-83bc-456f041d7e2e?source=cve
2026-05-02
Published