CVE-2022-0653: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-0653 is a Reflected Cross-Site Scripting (XSS) issue discovered in the WordPress Profile Builder plugin versions below 3.6.2. The vulnerability was publicly disclosed on February 17, 2022, and was discovered by security researcher Chloe Chamberland from Wordfence (Wordfence Blog, WPScan).

The vulnerability stems from improper sanitization and escaping of the site_url parameter in the fallback-page.php file. When this parameter is output back in an href attribute, it creates a potential XSS vector. The vulnerability has been assigned a CVSS score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Cross-Site Scripting (Wordfence Blog).

The vulnerability allows attackers to inject arbitrary web scripts that execute when users click on specially crafted links. This could potentially lead to the compromise of user sessions, theft of sensitive information, or manipulation of the affected website's content (WPScan).

The vulnerability has been patched in version 3.6.2 of both the Profile Builder and Profile Builder Pro plugins. Users are strongly advised to update their installations to this version or later to mitigate the security risk (WPScan).