CVE-2026-7647:
CVE-2026-7647 is a PHP Object Injection vulnerability in the Profile Builder Pro WordPress plugin (versions up to and including 3.14.5) that allows unauthenticated attackers to inject arbitrary PHP objects via an unsanitized AJAX handler.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.1High- Published Date:May 2, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:1%
Exploitability
- Score:2.2
- Attack Vector:NETWORK
- Attack Complexity:HIGH
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2026-7647 is a PHP Object Injection vulnerability in the Profile Builder Pro WordPress plugin (versions up to and including 3.14.5) that allows unauthenticated attackers to inject arbitrary PHP objects via an unsanitized AJAX handler.
Overview
CVE-2026-7647 affects the Profile Builder Pro WordPress plugin up to and including version 3.14.5. The flaw resides in an unauthenticated AJAX handler (`wppb_request_users_pins_action_callback`) located in `add-ons/user-listing/one-map-listing.php`, which deserializes attacker-supplied input from the `args` POST parameter using `maybe_unserialize()` without any security controls. Because the handler is accessible to unauthenticated users via both `wp_ajax_` and `wp_ajax_nopriv_` hooks, any external attacker can send a malicious POST request to inject arbitrary PHP objects into application memory. The severity of exploitation depends on the presence of a usable POP chain within the target WordPress installation, but the potential impact includes full compromise of confidentiality, integrity, and availability of the affected system, earning this vulnerability a CVSS v3.1 score of 8.1 (HIGH).
Remediation
- Users of the Profile Builder Pro plugin should update to a version released after 3.14.5 that addresses this vulnerability. The fix should include the addition of nonce verification, strict type checking, and comprehensive input validation on the `args` POST parameter before any deserialization takes place in the `wppb_request_users_pins_action_callback()` handler. Where immediate patching is not feasible, organizations should consider using a web application firewall (WAF) to block malicious AJAX requests targeting the vulnerable handler. Site administrators should also audit installed plugins and themes for POP chain gadgets that could be chained with this vulnerability to escalate impact.
References
- 1. https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f988-4515-83bc-456f041d7e2e?source=cve
- 2. https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13
- 3. https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L271
- 4. https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13
- 5. https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L271
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
