What the vulnerability does
01Description
The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.
Explanation of Vulnerability in Simple Terms
02Summary
Profile Builder Pro versions up to 3.14.5 contain a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code on the site. The vulnerability requires specific conditions to trigger but can lead to complete site compromise. Site administrators should update to a version newer than 3.14.5 immediately.
What an attacker can do
03Attacker Capabilities
Run their own code on the site without authentication (remote code execution).
Potential impact on your site
04Site Impact
Complete compromise of the WordPress site, including data theft, malware installation, and user account takeover.
Conditions required to exploit
05Prerequisites
Network access to the site; specific attack conditions must be met (high attack complexity).
Key dates
06Disclosure timeline
May 2, 2026
CVE published
May 4, 2026
Record updated