CVE-2026-42385 Cozmoslabs CVE debrief

Who should care

Administrators and users of Profile Builder Pro versions <= 3.15.0 should be aware of this vulnerability and take steps to mitigate it. Web application security teams and WordPress administrators are particularly relevant.

Technical summary

CVE-2026-42385 is an Unauthenticated Cross Site Scripting (XSS) vulnerability in Profile Builder Pro. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. It allows attackers to inject malicious scripts into the profile builder. The vulnerability is considered HIGH with a CVSS score of 7.1. CWE-79 is associated with this vulnerability.

Defensive priority

High

Recommended defensive actions

• Update Profile Builder Pro to a patched version
• Review and limit user input to prevent script injection
• Implement Content Security Policy (CSP) to restrict script execution
• Monitor Profile Builder Pro for suspicious activity
• Use a Web Application Firewall (WAF) to detect and prevent attacks
• Educate users on secure interaction with the profile builder

Evidence notes

The CVE record and NVD detail provide information on this vulnerability. The vulnerability was reported by [email protected]. The CVE was published on 2026-06-17T13:20:40.067Z and last modified on 2026-06-17T15:16:50.517Z.

Official resources