CVE-2026-7647 HIGH

CVE-2026-7647: Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection

Vendor Cozmoslabs
Product Profile Builder Pro
Weakness CWE-502 · Unsafe deserialization
Published May 2, 2026
Last update May 4, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.

Explanation of Vulnerability in Simple Terms

02Summary

Profile Builder Pro versions up to 3.14.5 contain a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code on the site. The vulnerability requires specific conditions to trigger but can lead to complete site compromise. Site administrators should update to a version newer than 3.14.5 immediately.

What an attacker can do

03Attacker Capabilities

Run their own code on the site without authentication (remote code execution).

Potential impact on your site

04Site Impact

Complete compromise of the WordPress site, including data theft, malware installation, and user account takeover.

Conditions required to exploit

05Prerequisites

Network access to the site; specific attack conditions must be met (high attack complexity).

Key dates

06Disclosure timeline

May 2, 2026 CVE published
May 4, 2026 Record updated

Related vulnerabilities

08Related CVE