{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8896", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-12T17:33:58.596Z", "datePublished": "2025-08-16T06:39:22.024Z", "dateUpdated": "2026-04-08T16:40:33.546Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:33.546Z"}, "affected": [{"vendor": "cozmoslabs", "product": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.14.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_communication_preferences[]' parameter in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field has been added to the edit profile form."}], "title": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.14.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d28e118-07d3-483e-87b8-66ccdb79e879?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3344317%40profile-builder&new=3344317%40profile-builder&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jessie Irelan"}], "timeline": [{"time": "2025-08-13T07:22:43.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-15T18:31:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-18T13:15:54.967051Z", "id": "CVE-2025-8896", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T13:15:59.724Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8896", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-18T13:15:54.967051Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T13:15:56.966Z"}}], "cna": {"title": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.14.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Jessie Irelan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "cozmoslabs", "product": "User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.14.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-13T07:22:43.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-15T18:31:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d28e118-07d3-483e-87b8-66ccdb79e879?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3344317%40profile-builder&new=3344317%40profile-builder&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_communication_preferences[]' parameter in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field has been added to the edit profile form."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:33.546Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8896", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:33.546Z", "dateReserved": "2025-08-12T17:33:58.596Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-16T06:39:22.024Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_communication_preferences[]' parameter in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field has been added to the edit profile form."}, {"lang": "es", "value": "El complemento User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles &amp; User Role Editor para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del par\u00e1metro 'gdpr_communication_preferences[]' en todas las versiones hasta la 3.14.3 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. Esto solo es explotable cuando el m\u00f3dulo \"Preferencias de Comunicaci\u00f3n del RGPD\" est\u00e1 habilitado y se ha a\u00f1adido al menos un campo de \"Preferencias de Comunicaci\u00f3n del RGPD\" al formulario de edici\u00f3n de perfil."}], "id": "CVE-2025-8896", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-16T07:15:27.960", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3344317%40profile-builder&new=3344317%40profile-builder&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d28e118-07d3-483e-87b8-66ccdb79e879?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:27:56.559526+00:00", "value": {"mitigation_remediation": ["Update the User Profile Builder plugin to the latest version (\u22653.14.4) where the stored XSS issue has been fixed.", "If an update is not possible, disable the GDPR Communication Preferences module or delete any added preference fields to remove the vector.", "Restrict the ability to edit profile preferences to trusted users only, or reduce the privileges of the Subscriber role so that it cannot modify these fields.", "Review existing profile preference entries for malicious content and sanitize or delete those entries."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress plugin \"User Profile Builder \u2013 Beautiful User Registration Forms, User Profiles & User Role Editor\" on version 3.14.3 or earlier are affected. The vulnerability is present only when the GDPR Communication Preferences module is enabled and at least one preferences field has been added to a user profile. Earlier or newer plugin versions are not impacted.", "description_and_impact": "The User Profile Builder plugin is vulnerable to stored XSS via the gdpr_communication_preferences[] parameter. The flaw stems from insufficient input sanitization and output escaping, allowing an attacker to inject scripts that execute on pages where the preference is displayed. The impact is that an authenticated user with Subscriber or higher privileges can run arbitrary JavaScript in the context of site visitors, potentially enabling credential theft, session hijacking, or defacement. The weakness is classified as CWE-79 Cross\u2011Site Scripting.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate to high severity. The EPSS score is below 1\u202f%, suggesting that the likelihood of the vulnerability being actively exploited is quite low at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Externally, the attack requires an authenticated account with Subscriber level or higher and the ability to edit profile preferences, typically granted to regular users with a suitable role. An attacker can therefore add malicious code through the preferences field, which will be stored and displayed to visitors, enabling exploitation. While the likelihood of exploitation is low, the potential impact remains significant due to the ability to execute arbitrary JavaScript during page loads."}}}}, "created": "2026-04-22T14:30:18.962026+00:00", "updated": "2026-04-22T14:30:18.962039+00:00", "vendors": []}