User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Vulnerabilities 47Slug profile-builderLatest version 3.16.0WordPress.org →

Minimum safe version

3.15.6

Update to 3.15.6 or later to address 47 fixable vulnerabilities

Latest available3.16.0
N/A
2026-03-30< 3.15.6

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field

WordfenceCVE
Critical 9.8
2026-02-02< 3.15.2

CVE-2025-15030

CVEWordfence
Medium 6.4
2025-08-16< 3.14.4

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.14.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

EUVDWordfenceCVE
Medium 6.4
2025-06-03< 3.13.9

Profile Builder <= 3.13.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via user_meta and compare Shortcodes

EUVDWordfenceCVE
Medium 4.8
2025-05-15< 3.12.2

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.12.1 - Authenticated (Admin+) Stored Cross-Site Scripting

EUVDWordfenceCVE
Medium 6.4
2025-04-16< 3.13.7

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

EUVDWordfenceCVE
Critical 9.8
2024-07-31< 3.11.9

CVE-2024-6695

CVEWordfence
N/A
2023-11-07< 3.10.4

Profile Builder <= 3.10.3 - Cross-Site Request Forgery via pms-cross-promotion.php

Wordfence
Medium 4.3
2023-09-04< 3.9.8

CVE-2023-4059

CVEWPScan
N/A
2023-08-09< 3.9.8

WordPress Profile Builder Plugin < 3.9.8 is vulnerable to Broken Access Control

Patchstack
N/A
2023-08-08< 3.9.8

Profile Builder <= 3.9.7 - Missing Authorization to Initial Page Creation

Wordfence
N/A
< 1.1.60

Profile Builder &lt; 1.1.60 - Password Recovery Bypass

WPScan
N/A
< 2.4.1

Profile Builder &lt; 2.4.1 - Privilege Escalation

WPScan
N/A
< 2.5.8

Profile Builder &lt; 2.5.8 - Authenticated Stored Cross-Site Scripting (XSS)

WPScan
N/A
< 3.1.1

Profile Builder and Profile Builder Pro &lt; 3.1.1 - User Registration With Administrator Role

WPScan
N/A
< 3.3.3

Profile Builder &amp; Profile Builder Pro &lt; 3.3.3 - Authenticated Blind SQL Injection

WPScan
N/A
< 3.5.1

Profile Builder &lt; 3.5.1 - Reflected Cross-Site Scripting

WPScan
High 8.1
2023-04-27< 3.9.1

WordPress Profile Builder Plugin <= 3.9.0 is vulnerable to Sensitive Data Exposure

PatchstackCVEWordfenceWPScan
N/A
2014-05-06< 1.1.60

Profile Builder – User Profile & User Registration Forms Plugin < 1.1.60 - Authentication Bypass

Wordfence
N/A
2016-07-07< 2.4.1

Profile Builder <= 2.4.0 - Privilege Escalation

Wordfence
N/A
2017-03-10< 2.5.8

Profile Builder < 2.5.8 - Cross-Site Scripting

Wordfence
N/A
2020-02-13< 3.1.1

Profile Builder <= 3.1.0 - Privilege Escalation

Wordfence
N/A
2020-12-04< 3.3.3

Profile Builder/Profile Builder Pro <= 3.3.2 - Authenticated Blind SQL Injection

Wordfence
N/A
2014-08-01< 1.1.60

WordPress Profile Builder Plugin <= 1.1.59 - BYPASS

Patchstack
N/A
2016-07-08< 2.4.1

WordPress Profile Builder Plugin <= 2.4.0 - Privilege Escalation

Patchstack
N/A
2016-07-13< 2.4.2

WordPress Profile Builder Plugin <= 2.4.1 - Reflected Cross Site Scripting

Patchstack
N/A
2020-02-10< 3.1.1

WordPress Profile Builder plugin <= 3.1.0 - User Registration With Administrator Role vulnerability

Patchstack
N/A
2020-12-02< 3.3.3

WordPress Profile Builder plugin <= 3.3.2 - Authenticated Blind SQL Injection (SQLi) vulnerability

Patchstack