CVE-2025-49292
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the WordPress Profile Builder plugin (up to version 3.13.8) allows unauthenticated attackers to inject malicious content into website pages and posts. This content injection can be used to conduct phishing attacks by displaying deceptive content to users. It is a content spoofing vulnerability classified under OWASP Top 10 category A3: Injection. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by enabling attackers to display deceptive content on your website, potentially tricking users into phishing attacks. This can lead to loss of user trust, potential credential theft, and damage to your website's reputation. Although the severity is low and the likelihood of exploitation is limited, it still poses a risk if not addressed. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress Profile Builder plugin version is 3.13.8 or earlier, as these versions are affected. Since the vulnerability allows unauthenticated content injection leading to phishing, monitoring for unexpected or deceptive content on website pages and posts can indicate exploitation. There are no specific commands provided for detection. Patchstack offers virtual patching as an interim protective measure and recommends professional incident response if compromise is suspected. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WordPress Profile Builder plugin to version 3.13.9 or later, where the vulnerability is fixed. As an interim measure, applying Patchstack's virtual patching (vPatching) can automatically mitigate the vulnerability before official patches are applied. Additionally, if a website is already compromised, professional incident response services are recommended. Reliance solely on plugin-based malware scanners is cautioned against. [1]