WordPress Plugin Vulnerabilities

Profile Builder < 3.6.1 - Settings Import via CSRF

Description

The plugin does not have CSRF check in place when importing settings, which could allow attackers to make a logged in admin import arbitrary settings via a CSRF attack when the Import and Export add-on is active

Affects Plugins

Plugin icon
profile-builder
Fixed in 3.6.1

References

CVE
CVE-2021-36915

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
3.1 (low)

Miscellaneous

Original Researcher
John Castro aka mirphak
Verified
No
WPVDB ID
e6091de1-f2c1-45fe-8221-d55526c7faf6

Timeline

Publicly Published
2022-09-29 (about 3 years ago)
Added
2022-10-11 (about 3 years ago)
Last Updated
2022-10-11 (about 3 years ago)

Other

Published
Title
Published
2024-07-08
Title
Just Custom Fields <= 3.3.2 - Cross-Site Request Forgery via AJAX actions
Published
2021-07-02
Title
Woostify < 1.9.2 - CSRF Bypass
Published
2026-02-08
Title
Lemmony < 1.7.1 - Cross-Site Request Forgery
Published
2025-02-18
Title
Apptivo Business Site CRM <= 5.3 - Cross-Site Request Forgery to IP Address Block
Published
2026-02-13
Title
Grand Magazine <= 3.5.5 - Cross-Site Request Forgery