CVE ID :CVE-2026-7647 Published : May 2, 2026, 6:16 a.m. | 1 hour, 23 minutes ago Description :The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory. Severity: 8.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...