CVE-2022-0653
MEDIUM EXPLOITED NUCLEIProfile Builder < 3.6.1 - Reflected Cross-Site Scripting via site_url Parameter
Title source: llmExploitation Summary
CVE-2022-0653 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.
Nuclei Templates (1)
Wordpress Profile Builder Plugin Cross-Site Scripting
MEDIUMby dhiyaneshDk
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulnerability-patched-in-wordpress-profile-builder-plugin/
Patch, Third Party Advisory x_refsource_misc
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2655168%40profile-builder&new=2655168%40profile-builder&sfp_email=&sfph_mail=
Scores
CVSS v3
6.1
EPSS
0.0270
EPSS Percentile
84.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2024-09-19
CWE
CWE-79
Status
published
Products (1)
cozmoslabs/profile_builder
< 3.6.1
Published
Feb 24, 2022
Tracked Since
Feb 18, 2026