CVE-2023-0814

Name of the Vulnerable Software and Affected Versions The Profile Builder – User Profile & User Registration Forms plugin for WordPress versions up to, and including 3.9.0

Description The issue is related to sensitive information disclosure via the user meta shortcode. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. Authenticated attackers with subscriber-level permissions and above can retrieve sensitive user meta, potentially gaining access to a high-privileged user account. The Usermeta shortcode must be enabled for this issue to be exploited.

Recommendations For versions up to, and including 3.9.0, consider disabling the user meta shortcode until a patch is available to prevent exploitation. Restrict access to sensitive user meta values to minimize the risk of unauthorized access.