CVE-2022-0653 MEDIUM

CVE-2022-0653: Profile Builder – User Profile & User Registration Forms <= 3.6.1 Reflected Cross-Site Scripting

Vendor Cozmoslabs
Product Profile Builder – User Profile & User Registration Forms
Weakness CWE-79 · XSS
Published February 24, 2022
Last update January 31, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.

Key dates

02Disclosure timeline

February 24, 2022 CVE published
January 31, 2025 Record updated

Related vulnerabilities

04Related CVE