CVE-2021-36915: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in Cozmoslabs Profile Builder plugin version 3.6.0 and earlier for WordPress. The vulnerability was disclosed on September 29, 2022, and affects the Import and Export add-on functionality, allowing potential attackers to upload JSON files and update options (Patchstack, NVD).

The vulnerability is tracked as CVE-2021-36915 with a CVSS v3.1 Base Score of 4.3 (Medium) according to NVD, and 4.2 (Medium) according to Patchstack. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating that the vulnerability is network accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This specifically affects the ability to upload JSON files and update options within the Import and Export add-on functionality (Patchstack).

The vulnerability was fixed in version 3.6.1 of the Profile Builder plugin. Users are advised to update to version 3.6.1 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).