CVE-2025-13054: 
WordPress vulnerability analysis and mitigation

The User Profile Builder plugin for WordPress (versions up to 3.14.8) contains a Stored Cross-Site Scripting vulnerability (CVE-2025-13054) that was discovered on November 19, 2025. The vulnerability exists in the plugin's wppb-embed shortcode due to insufficient input sanitization and output escaping on user-supplied attributes (NVD CVE).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability affects authenticated users with contributor-level access or higher, who can inject arbitrary web scripts through the plugin's wppb-embed shortcode (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These scripts will execute whenever a user accesses the compromised page, potentially leading to client-side attacks and data theft (NVD CVE).

The vulnerability has been patched in version 3.14.9 of the User Profile Builder plugin. Users are advised to update to this version immediately. The update includes fixes for the wppb-embed shortcode parameter sanitization (WordPress Changeset).