CVE-2026-7647

Name of the Vulnerable Software and Affected Versions Profile Builder Pro versions prior to 3.14.6

Description The Profile Builder Pro plugin for WordPress is susceptible to PHP Object Injection. This occurs because the wppb request users pins action callback() AJAX handler uses the maybe unserialize() function on the args POST parameter without implementing nonce verification, type checking, or input validation. Since the handler is registered with both wp ajax and wp ajax nopriv hooks, unauthenticated attackers can inject arbitrary PHP objects into the application memory.

Recommendations Update the plugin to a version later than 3.14.5. As a temporary workaround, restrict access to the wppb request users pins action callback() function to minimize the risk of exploitation.