{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/profile-builder-pro-plugin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-7647"}],"_cs_exploited":false,"_cs_products":["Profile Builder Pro plugin"],"_cs_severities":["critical"],"_cs_tags":["php-object-injection","wordpress","plugin","rce"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Profile Builder Pro plugin for WordPress is susceptible to a critical PHP Object Injection vulnerability (CVE-2026-7647) affecting all versions up to and including 3.14.5. This flaw stems from the plugin\u0026rsquo;s use of the \u003ccode\u003emaybe_unserialize()\u003c/code\u003e function on the attacker-controlled \u003ccode\u003eargs\u003c/code\u003e POST parameter passed to the \u003ccode\u003ewppb_request_users_pins_action_callback()\u003c/code\u003e AJAX handler. Critically, this handler lacks nonce verification, input validation, and type checking, making it accessible to unauthenticated users via both \u003ccode\u003ewp_ajax_\u003c/code\u003e and \u003ccode\u003ewp_ajax_nopriv_\u003c/code\u003e hooks. Successful exploitation allows remote, unauthenticated attackers to inject arbitrary PHP objects into the application\u0026rsquo;s memory space, potentially leading to remote code execution depending on available classes and application configuration. The vulnerability was published on 2026-05-02.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running a vulnerable version (\u0026lt;= 3.14.5) of the Profile Builder Pro plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the WordPress AJAX endpoint (\u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewppb_request_users_pins_action_callback\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eargs\u003c/code\u003e parameter containing a serialized PHP object designed to trigger arbitrary code execution upon deserialization.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the request and invokes the \u003ccode\u003ewppb_request_users_pins_action_callback()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function calls \u003ccode\u003emaybe_unserialize()\u003c/code\u003e on the attacker-controlled \u003ccode\u003eargs\u003c/code\u003e parameter without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP object is deserialized and injected into the application\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected object\u0026rsquo;s methods and properties are triggered, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary PHP code on the target WordPress server. This can lead to complete system compromise, including data theft, website defacement, and the installation of backdoors for persistent access. Given the widespread use of WordPress and the Profile Builder Pro plugin, a large number of websites are potentially at risk until the plugin is updated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Profile Builder Pro plugin to the latest available version to patch CVE-2026-7647.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Profile Builder Pro PHP Object Injection Attempt\u003c/code\u003e to detect exploitation attempts targeting the vulnerable AJAX endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewppb_request_users_pins_action_callback\u003c/code\u003e and suspicious serialized data in the \u003ccode\u003eargs\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-wordpress-profile-builder-rce/","summary":"An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.","title":"WordPress Profile Builder Pro Plugin PHP Object Injection Vulnerability (CVE-2026-7647)","url":"https://feed.craftedsignal.io/briefs/2024-01-wordpress-profile-builder-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Profile Builder Pro Plugin","version":"https://jsonfeed.org/version/1.1"}