WordPress Plugin Vulnerabilities

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor < 3.14.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_communication_preferences[]' parameter in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field has been added to the edit profile form.

Affects Plugins

Plugin icon
profile-builder
Fixed in 3.14.4

References

CVE
CVE-2025-8896
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1d28e118-07d3-483e-87b8-66ccdb79e879

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Alex
Verified
No
WPVDB ID
60fdc478-d693-4357-8ca6-59a6f488eda2

Timeline

Publicly Published
2025-08-15 (about 8 months ago)
Added
2025-08-15 (about 8 months ago)
Last Updated
2025-08-16 (about 8 months ago)

Other

Published
Title
Published
2024-01-16
Title
Stock Locations for WooCommerce < 2.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings
Published
2025-03-11
Title
BlogBuzzTime-for-wp <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2024-03-28
Title
Sponsors <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-26
Title
drm-protected-video-streaming <= 4.2.1 - Reflected XSS
Published
2023-06-09
Title
GD Mail Queue < 4.0 - Unauthenticated Stored Cross-Site Scripting