Unknown User Profile Builder vulnerabilities

CVE-2025-15030 [CRITICAL] CWE-269 CVE-2025-15030: The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset proce The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account

CVE-2024-6708 [MEDIUM] CWE-79 CVE-2024-6708: The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameter The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameters before outputting its content on the admin area, which allows Admin+ users to perform Cross-Site Scripting attacks.

CVE-2024-6695 [CRITICAL] CWE-863 CVE-2024-6695: it's possible for an attacker to gain administrative access without having any kind of account on th it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is due to improper logic flow on the user registration process.

CVE-2024-6366 [CRITICAL] CWE-434 CVE-2024-6366: The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowin The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.