CVE-2025-2314: 
WordPress vulnerability analysis and mitigation

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin's shortcodes in versions up to and including 3.13.5. The vulnerability was discovered and disclosed on April 15, 2025, and was assigned CVE-2025-2314. The issue affects all installations of the plugin prior to version 3.13.6 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcodes. This security flaw received a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The issue has been classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, Wordfence).

The vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability was partially patched in version 3.13.6 and fully resolved in version 3.13.7 of the plugin. Users are strongly advised to update to the latest version to protect against this security issue (NVD).