WordPress Profile Builder Pro: Unauthenticated PHP Object Injection Risks Site Takeover

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityinsecure-deserializationcwe-502
WordPress Profile Builder Pro: Unauthenticated PHP Object Injection Risks Site Takeover

The National Vulnerability Database has disclosed CVE-2026-7647, a critical PHP Object Injection vulnerability impacting all versions of the Profile Builder Pro plugin for WordPress up to and including 3.14.5. This flaw stems from the wppb_request_users_pins_action_callback() AJAX handler, which improperly uses PHP’s maybe_unserialize() function on attacker-controlled input within the ‘args’ POST parameter. Crucially, this handler lacks any nonce verification, type checking, or input validation.

Because the vulnerable AJAX handler is registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it is accessible to completely unauthenticated users. This design oversight allows an attacker to inject arbitrary PHP objects into the application’s memory, setting the stage for remote code execution (RCE) and full site compromise. The National Vulnerability Database assigns this a CVSS score of 8.1 (HIGH), underscoring the severe risk.

This isn’t just a theoretical vulnerability; PHP Object Injection is a well-understood vector for RCE. Attackers can leverage this to upload malicious files, create new administrative users, or completely deface a site. The lack of authentication required makes exploitation trivial for anyone with basic knowledge of the vulnerability class. Defenders need to prioritize patching or removal immediately.

What This Means For You

  • If your organization uses the WordPress Profile Builder Pro plugin, you need to verify its version immediately. Any version up to and including 3.14.5 is vulnerable to unauthenticated PHP Object Injection, which can lead to full site takeover. Patch or disable this plugin without delay and audit your WordPress logs for any suspicious activity targeting the `wppb_request_users_pins_action_callback()` AJAX handler.

Related ATT&CK Techniques

T1505.003 Exploit Public-Facing Application: Vulnerable File Upload Initial Access T1190 Exploit Public-Facing Application Initial Access T1588.002 Obtain Capabilities: Tool Resource Development

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1505.003 Persistence

Web Shell Activity Detection — CVE-2026-7647

Sigma YAML — free preview 
title: Web Shell Activity Detection — CVE-2026-7647
id: scw-2026-05-02-1
status: experimental
level: high
description: |
  Detects potential web shell interaction patterns following the CVE-2026-7647 breach.
author: SCW Feed Engine (auto-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7647/
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
    category: webserver
detection:
  selection:
      cs-uri|endswith:
        - '.php'
        - '.jsp'
        - '.aspx'
        - '.ashx'
      cs-uri-query|contains:
        - 'cmd='
        - 'exec='
        - 'shell'
        - 'upload'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-7647

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7647 Deserialization Profile Builder Pro plugin for WordPress versions <= 3.14.5
CVE-2026-7647 Code Injection PHP Object Injection via 'args' POST parameter in wppb_request_users_pins_action_callback() AJAX handler
CVE-2026-7647 Auth Bypass wppb_request_users_pins_action_callback() AJAX handler reachable by unauthenticated users (wp_ajax_nopriv_)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7605 — JeecgBoot Server-Side Request Forgery

CVE-2026-7605 — A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs /⚙ 3 Sigma

PixelYourSite Pro Plugin SSRF Vulnerability (CVE-2026-7049)

CVE-2026-7049 — The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to,...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-6916 — Cross-Site Scripting (XSS)

CVE-2026-6916 — The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /6.4 /⚑ 2 IOCs /⚙ 3 Sigma