CVE-2026-7647 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: May 2, 2026
Profile Builder Pro WordPress - Insecure Deserialization
Published: May 2, 2026Updated: May 2, 2026Remote Exploitable
Overview
Profile Builder Pro WordPress plugin <= 3.14.5 contains a PHP Object Injection caused by unsafe deserialization of 'args' POST parameter in wppb_request_users_pins_action_callback AJAX handler, letting unauthenticated attackers inject arbitrary PHP objects.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Unauthenticated attackers can inject arbitrary PHP objects, potentially leading to remote code execution or application compromise.
Mitigation
Update to the latest version beyond 3.14.5.
References
- https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13
- https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L271
- https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13
- https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L271
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f988-4515-83bc-456f041d7e2e?source=cve
Related Resources
Details
- CVE ID
- CVE-2026-7647
- Severity
- High
- CVSS Score
- 8.1
- Type
- insecure_deserialization
- Status
- new
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H