How is CVE-2026-42385 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site. Authentication (not-required): No account or session credential is needed; the attacker can send a malicious payload as an unauthenticated visitor. Victim interaction (required): A victim must follow a crafted link or visit an attacker-controlled page that triggers the injected script, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or unusual environmental configuration to succeed.

What is the impact of CVE-2026-42385?

An attacker can steal session cookies or authentication tokens from the victim's browser, gaining access to the victim's WordPress account without knowing their password. Injected JavaScript can read and exfiltrate any data visible on the page in the victim's browser session, including form inputs and personal profile data. The attacker can modify page content in the victim's browser, redirecting them to phishing sites or replacing legitimate UI elements with malicious ones. With a scope of Changed (S:C in the CVSS vector), the injected script runs in the context of the WordPress site origin, meaning its reach extends beyond the vulnerable plugin itself to other data and functionality on the same domain.

Back to search

HIGHCVE-2026-42385Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-42385: WordPress Profile Builder Pro plugin <= 3.15.0 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-42385?

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Profile Builder Pro WordPress plugin, versions 3.15.0 and earlier. The flaw is reachable over the network without any login credentials, but requires a victim to interact with a malicious link or page. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, or redirection to attacker-controlled sites. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-42385 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Cozmoslabs or the CNA publishes a remediated release. In the interim, customers can apply compensating controls through HarborGuard's network-policy and egress-filtering recommendations described below.

Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Profile Builder Pro WordPress plugin, versions 3.15.0 and earlier. The flaw is reachable over the network without any login credentials, but requires a victim to interact with a malicious link or page. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session theft, page content manipulation, or redirection to attacker-controlled sites. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment. Images containing the affected Profile Builder Pro plugin version are matched against ingested vulnerability feeds within minutes of CVE publication, including custom-built WordPress images assembled internally by customer teams.

Available

Triage

Triage is available using the CVSS v3.1 score of 7.1 (HIGH), applied against each environment's compliance policy weighting to determine breach-of-threshold status. Findings are routed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Cozmoslabs or the CNA publishes a remediated release. In the interim, customers can apply compensating controls through HarborGuard's network-policy and egress-filtering recommendations described below.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site.
AuthenticationNot required
No account or session credential is needed; the attacker can send a malicious payload as an unauthenticated visitor.
Victim interactionRequired
A victim must follow a crafted link or visit an attacker-controlled page that triggers the injected script, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or unusual environmental configuration to succeed.

Blast Radius

An attacker can steal session cookies or authentication tokens from the victim's browser, gaining access to the victim's WordPress account without knowing their password.
Injected JavaScript can read and exfiltrate any data visible on the page in the victim's browser session, including form inputs and personal profile data.
The attacker can modify page content in the victim's browser, redirecting them to phishing sites or replacing legitimate UI elements with malicious ones.
With a scope of Changed (S:C in the CVSS vector), the injected script runs in the context of the WordPress site origin, meaning its reach extends beyond the vulnerable plugin itself to other data and functionality on the same domain.

How HarborGuard Handles This

Available on HarborGuard: scanning capability detects all container images that bundle WordPress with Profile Builder Pro at version 3.15.0 or earlier, flagged at HIGH severity (CVSS 7.1). Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a remediated version is released. For customers who opt into auto-remediation, that rebuild is followed by a regression-test run and a pull request opened against affected workloads. While no patch is available, consider these compensating controls where compliance policy permits: apply a web application firewall rule to sanitize or block payloads matching XSS patterns on Profile Builder Pro endpoints; restrict public access to profile registration and editing pages via network policy if those routes do not need to be publicly reachable; and enable Content-Security-Policy headers in the serving container to limit the damage of any injected script. HarborGuard will surface the patched rebuild for action as soon as the upstream fix is confirmed.

See how HarborGuard automates this

Affected packages

Cozmoslabs / Profile Builder Pro
≤ 3.15.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified