CVE-2025-4671: 
WordPress vulnerability analysis and mitigation

The Profile Builder plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-4671) discovered in June 2025. The vulnerability affects all versions up to and including 3.13.8, impacting the plugin's user_meta and compare shortcodes. This security flaw stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (MEDIUM). The security flaw exists in two specific components: the user_meta and compare shortcodes, located in the plugin's advanced settings. The vulnerability stems from improper neutralization of input during web page generation, allowing for the persistence of malicious scripts in the application's stored data (NVD, WordPress Plugin).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability has been patched in version 3.13.9 of the Profile Builder plugin. Users are strongly advised to update to this latest version immediately. The update includes security fixes specifically addressing the XSS vulnerability in the user_meta and compare shortcodes (WordPress Plugin).