Login

Tag Archives: Profile Builder

Plugin Security Scorecard Grade for Profile Builder

Checked on October 13, 2024
C

See issues causing the plugin to get less than A+ grade

4 Sep 2024

WordPress Plugin Security Review: Profile Builder

For our 44th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Profile Builder.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. [Read more]

10 Feb 2022

Our Proactive Monitoring Caught a CSRF/Option Update Vulnerability in a WordPress Plugin Used by Our Customers

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have now expanded that for our customers, by running plugins used by our customers, even when code in them is not updated, through the same system on a weekly basis. Through that, we caught a less serious variant of one of those vulnerabilities, a cross-site request forgery (CSRF)/option update vulnerability in Profile Builder. Which, besides being used by at least one of our customers, is used on 60,000+ websites according to wordpress.org’s stats.

CSRF/Option Update

Among the add-ons for Profile Builder that ship with the plugin is Import and Export, which is described this way: [Read more]

6 Mar 2017

Vulnerability Details: Authenticated Arbitrary File Upload Vulnerability in Profile Builder

One of the ways that we collect the data to provide our customers with the best information on vulnerabilities in WordPress plugins is by monitoring for mentions that new versions of plugins include security fixes and figuring out if any vulnerabilities have been fixed in the new version. We have found that in many cases that the discover of vulnerabilities do not put out a report on the issue, so data sources that don’t do this will be missing these vulnerabilities. In version 2.5.8 of the plugin Profile Builder the changelog entry states that “Fixed security issues and performed a security audit”.

[Read more]

9 May 2016

A Reminder That The Process for Reporting WordPress Plugin Vulnerabilities Needs Improvement

A week ago we posted about the need for WordPress to make it easier to properly report vulnerabilities in plugins and now we have another good example of where the current process is lacking.

Yesterday on the wordpress.org support forum someone posted about a serious security vulnerability in the Profile Builder plugin, which would allow users that are able to get a shortcode into a post the ability create Administrators accounts on website when the plugin is installed and the website also allows user registration. [Read more]