Plattform
wordpress
Komponente
profile-builder-pro
Behoben in
3.14.0
CVE-2026-27413 describes a critical SQL Injection vulnerability discovered in Cozmoslabs Profile Builder Pro. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 3.14.0, and a patch is available in version 3.14.0.
The SQL Injection vulnerability in Profile Builder Pro allows an attacker to bypass security measures and directly interact with the database. Because it's a blind SQL injection, the attacker doesn't receive immediate feedback from the database, requiring techniques like time-based or boolean-based injection to extract data. Successful exploitation could lead to the theft of user credentials, sensitive profile information, or even complete database compromise. The potential impact extends beyond data theft; an attacker could potentially modify data, disrupt service, or gain administrative access to the WordPress site. This is particularly concerning given Profile Builder Pro's common use for user registration and profile management.
CVE-2026-27413 was publicly disclosed on 2026-03-19. The vulnerability's CRITICAL CVSS score indicates a high level of severity. As of this writing, there are no publicly available exploits or reports of active exploitation campaigns. It is advisable to prioritize patching due to the potential for significant data compromise. This vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing Profile Builder Pro, particularly those running versions prior to 3.14.0, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a successful attack on one site could potentially compromise others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/profile-builder-pro/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin.php?page=profile-builder-pro-settings&action=test_db_connection | grep SQL• wordpress / composer / npm:
wp plugin list --status=active | grep profile-builder-prodisclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27413 is to immediately upgrade Profile Builder Pro to version 3.14.0 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule targeting the SQL injection point is difficult without specific knowledge of the attack vector, general SQL injection protection rules can provide a baseline defense. Regularly review and audit database access logs for suspicious activity. After upgrading, confirm the fix by attempting a known SQL injection payload in the affected areas and verifying that it is properly sanitized.
Aktualisieren Sie auf Version 3.14.0 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27413 is a critical SQL Injection vulnerability affecting Profile Builder Pro versions 0.0.0–3.14.0, allowing attackers to extract data via blind SQL injection.
You are affected if you are using Profile Builder Pro versions 0.0.0 through 3.14.0. Upgrade immediately to mitigate the risk.
Upgrade Profile Builder Pro to version 3.14.0 or later. If upgrading is not possible, implement WAF rules and sanitize user inputs.
While no public exploits are currently known, the vulnerability's nature makes exploitation likely. Monitor your systems for suspicious activity.
Refer to the Cozmoslabs website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.