We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022.
We strongly recommend ensuring that your site has been updated to the latest patched version of “Profile Builder – User Profile & User Registration Forms”, which is version 3.6.5 at the time of this publication.
Description: Reflected Cross-Site Scripting
Affected Plugin: Profile Builder – User Profile & User Registration Forms
Plugin Slug: profile-builder
Plugin Developer: Cozmoslabs
Affected Versions: <= 3.6.1
CVE ID: CVE-2022-0653
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.6.2
Profile Builder – User Profile & User Registration Forms is a plugin designed to add enhanced user profile and registration capabilities to a WordPress site. The vulnerability in the plugin was simple.
Example of exploit (https://email.wordfence.com/e3t/Btc/GC+113/cwG7R04/VWjQgs4rqL9QW6T5ZlL7X8k2pVNrtzX4FFLr1N2v9B135js6pV3Zsc37CgWl-W5DfXFH7C2H_VW2dPx1R7nxln-N5QrQb4Bk2zKM5z2pMl6-hmN77-PypPjB9nW365Szn6mQNZ8W3DH38v7TjdNGW37tY9l8LjYpjW8BC38517VQ6rW5Z2X-T3dHMdwW1SrGbr3RptyxW23FtLg4BTd00W2MM_TQ6z6d9gW9hnmWN7l_JnJW1992NW4Tnyr8W7GK-bg1x0nyPW60vRmd1cH6CQW77rVN06y04LCW6Cnln-7cGrMcW89rHc63rTsxwW6gp15_8JdPF4N53pY6Ppt6GmN1NtRSsJ5-bBVzsg1j7vJdN7W8bdVmT4scnjDN6YJFTs9NtwjW6XhtcF5mX5H0VSkq2b1QHc2YW5Tb0cg2CL7zCMNl9bJ2G01dVtS1cf6hyNjSW6LhBZy83WVWL32W61 )
Cross-Site Scripting vulnerabilities can be exploited to perform several actions like creating new administrative user accounts, injecting theme and plugin files with backdoors, and redirecting visitors to malicious sites, all of which can be used for complete site takeover. This vulnerability requires users to click on a link in order to be successful, and is a reminder for site administrators and users to follow security best practices and avoid clicking on links from untrusted sources.
This vulnerability could also be used to redirect the user to a malicious site by simply injecting any domain in the site_url parameter.
January 4, 2022 – Conclusion of the plugin analysis that led to the discovery of a Reflected Cross-Site Scripting Vulnerability in the “Profile Builder – User Profile & User Registration Forms” plugin. We verify that the Wordfence firewall provides sufficient coverage. We initiate contact with the developer.
January 5, 2022 – The developer confirms the inbox for handling the discussion.
January 6, 2022 – We send over the full disclosure details. The developer acknowledges the report and indicates that they will work on a fix.
January 10, 2022 – A fully patched version of the plugin is released as version 3.6.2.
We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.6.5 at the time of this publication.