Wordpress Profile Builder Plugin: Stored XSS

Simple stored Cross Site Scripting (XSS) found in WordPress Profile Builder Plugin version 5.2.7 and below.
This is just a PoC example, just fill in the minimum password length field with

[code]8″><script>alert(1)</script>[/code]

After we save the changes, the injected JavaScript executed successfully. This indicates that the plugin has a stored XSS vulnerability.

References

• CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
• User registration & user profile – Profile Builder