CVE-2025-8896: 
WordPress vulnerability analysis and mitigation

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdprcommunicationpreferences[]' parameter in versions up to and including 3.14.3. The vulnerability was discovered on August 16, 2025, and was reported by Wordfence (NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It has a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability exists due to insufficient input sanitization and output escaping in the GDPR Communication Preferences module (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field has been added to the edit profile form (NVD).

The vulnerability has been patched in version 3.14.4 of the User Profile Builder plugin. Users should update to this version immediately to protect against potential attacks. The update includes security fixes for the GDPR Communication Preferences add-on (WordPress Trac).