WordPress Profile Builder Plugin: Stored XSS

Simple stored Cross Site Scripting (XSS) found in WordPress Profile Builder Plugin version 5.2.7 and below.
This is just a PoC example, just fill in the minimum password length field with


After we save the changes, the injected JavaScript executed successfully. This indicates that the plugin has a stored XSS vulnerability.


Leave a Reply

Your email address will not be published. Required fields are marked *