Unauthenticated PHP object injection in Profile Builder Pro
TL;DR - Profile Builder Pro <= 3.14.5 passes an attacker-controlled args POST parameter directly into maybe_unserialize() inside the AJAX handler wppb_request_users_pins_action_callback(). The handler is registered with wp_ajax_nopriv_, so any anonymous HTTP request to admin-ajax.php can trigger PHP object injection. No authentication, no nonce, no type check.
What happened
Profile Builder Pro is a WordPress plugin for building registration and profile management workflows. CVE-2026-7647 is a PHP object injection flaw rooted in unsafe deserialization of user-supplied data.
The attack path is straightforward. The handler wppb_request_users_pins_action_callback() calls maybe_unserialize() on the args POST parameter with no prior nonce verification, type checking, or input validation. The CVE record confirms all three controls are absent.
What makes this immediately reachable is the routing. The handler is registered under both wp_ajax_ and wp_ajax_nopriv_, meaning WordPress will dispatch it for unauthenticated requests via admin-ajax.php. No session, no token, no precondition.
Object injection on its own is a stepping stone. The actual impact depends on what gadget chains exist in the plugin set loaded on the target site. In practice, WordPress environments accumulate plugins over time, and gadget chains are rarely hard to find. Treat unauthenticated deserialization as potential initial-access exposure.
Who is impacted
- WordPress sites running
Profile Builder Proat versions<= 3.14.5. - Environments where
admin-ajax.phpis reachable from the internet, which is the default WordPress configuration.
| Item | Detail |
|---|---|
| Vulnerable parameter | args (POST) |
| Vulnerable code path | wppb_request_users_pins_action_callback() calling maybe_unserialize() |
| Attack precondition | None (unauthenticated via wp_ajax_nopriv_) |
| Severity | CVSS 3.1 8.1 (High) |
| CWE | CWE-502 |
What to do now
- Apply the latest patched release. The CVE record does not name a specific fixed version, so check the plugin's changelog and install the current release.
- Inventory your WordPress estate for
Profile Builder Proand confirm no site is running<= 3.14.5. - Review web server and WordPress logs for suspicious POST requests to
admin-ajax.phpcarrying serialized payloads in theargsparameter. Serialized PHP strings begin witha:,O:,s:, or similar type identifiers. - If you have reason to suspect exploitation:
- rotate credentials accessible to the WordPress runtime under your incident response process
- check for unexpected file changes or scheduled task additions consistent with post-exploitation activity
- If patching immediately is not possible:
- restrict access to WordPress AJAX endpoints at the edge where operationally feasible
- disable or remove the plugin in high-risk environments until remediation is applied
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.