Platform
wordpress
Component
profile-builder-pro
Fixed in
3.14.0
CVE-2026-27413 describes a critical SQL Injection vulnerability discovered in Cozmoslabs Profile Builder Pro. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 3.14.0, and a patch is available in version 3.14.0.
The SQL Injection vulnerability in Profile Builder Pro allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, attackers must infer data by observing the application's responses to carefully crafted SQL queries. This process can be time-consuming but allows extraction of sensitive information such as user credentials, personal data, and potentially database schema details. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. While no direct precedent is immediately obvious, blind SQL injection vulnerabilities are frequently exploited to gain persistent access and escalate privileges.
CVE-2026-27413 was publicly disclosed on 2026-03-19. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). As of this writing, no public proof-of-concept exploits have been published, but the nature of blind SQL injection means that exploitation is likely possible with sufficient effort. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27413 is to immediately upgrade Profile Builder Pro to version 3.14.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Carefully review and sanitize all user inputs to prevent malicious SQL code from being injected. Monitor WordPress logs for suspicious database queries that might indicate an ongoing attack.
Update to version 3.14.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27413 is a critical SQL Injection vulnerability affecting Profile Builder Pro versions 0.0.0–3.14.0, allowing attackers to extract data via blind SQL injection.
You are affected if you are using Profile Builder Pro versions 0.0.0 through 3.14.0. Upgrade immediately to mitigate the risk.
Upgrade Profile Builder Pro to version 3.14.0 or later. If upgrading is not possible, implement WAF rules and sanitize user inputs.
While no public exploits are currently known, the vulnerability's nature makes exploitation likely. Monitor your systems for suspicious activity.
Refer to the Cozmoslabs website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.