CVE-2025-8896

Name of the Vulnerable Software and Affected Versions: User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress versions through 3.14.3

Description: The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is susceptible to Stored Cross-Site Scripting via the gdpr communication preferences[] parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page. This is only exploitable when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field has been added to the edit profile form.

Recommendations: Update to a version beyond 3.14.3. Disable the GDPR Communication Preferences module. Remove any GDPR Communication Preferences fields from the edit profile form.