CVE-2026-7647 Overview
CVE-2026-7647 is a PHP Object Injection vulnerability affecting the Profile Builder Pro plugin for WordPress in all versions up to and including 3.14.5. The flaw resides in the wppb_request_users_pins_action_callback() AJAX handler, which calls PHP's maybe_unserialize() on the attacker-controlled args POST parameter. The handler registers both wp_ajax_ and wp_ajax_nopriv_ hooks and lacks nonce verification, type checking, and input validation. Unauthenticated attackers can inject arbitrary PHP objects into application memory, enabling property-oriented programming (POP) chain attacks. The issue is tracked as CWE-502: Deserialization of Untrusted Data.
Critical Impact
Unauthenticated remote attackers can submit serialized payloads to a WordPress site running Profile Builder Pro and trigger object instantiation, potentially leading to file deletion, sensitive data disclosure, or arbitrary code execution when a suitable POP chain is present.
Affected Products
- Profile Builder Pro plugin for WordPress, versions through 3.14.5
- WordPress sites exposing the wppb_request_users_pins_action_callback() AJAX endpoint
- Sites where additional plugins or themes provide gadget classes usable in a POP chain
Discovery Timeline
- 2026-05-02 - CVE-2026-7647 published to the National Vulnerability Database
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7647
Vulnerability Analysis
The vulnerability is an Insecure Deserialization issue in the Profile Builder Pro user listing add-on. The relevant code path lives in add-ons/user-listing/one-map-listing.php at lines 13 and 271 of the 3.14.5 tag. WordPress registers the AJAX action with both authenticated and unauthenticated hooks, exposing the handler to anonymous HTTP POST requests. Inside the callback, the plugin reads the args POST parameter and passes it directly to maybe_unserialize() without validating the structure or origin of the input. PHP then instantiates any class referenced in the serialized payload and invokes magic methods such as __wakeup(), __destruct(), or __toString() on the resulting object.
Root Cause
The root cause is the use of maybe_unserialize() on untrusted attacker-controlled input combined with the absence of authentication, capability checks, and nonce verification. The handler treats POST data as trusted and reconstructs PHP objects from a serialized string. Any class loaded by WordPress core, the active theme, or other plugins becomes a candidate gadget for a POP chain.
Attack Vector
An unauthenticated attacker sends an HTTP POST request to /wp-admin/admin-ajax.php with the action parameter set to the vulnerable handler and the args parameter set to a crafted serialized PHP object. The server deserializes the payload, instantiates the chosen class, and triggers magic methods that perform attacker-directed operations. Real-world impact depends on which gadget chains are reachable in the WordPress installation, but published research demonstrates file deletion, arbitrary file write, and remote code execution from similar primitives. The high attack complexity reflects the dependency on a usable gadget chain rather than any access requirement.
No verified public exploit code is currently available. See the Wordfence Vulnerability Report and the WordPress Plugin Code Review for the affected source lines.
Detection Methods for CVE-2026-7647
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=wppb_request_users_pins and an args parameter beginning with serialized PHP markers such as O:, a:, or s:.
- Unexpected file creation, modification, or deletion in WordPress content directories shortly after admin-ajax requests.
- New PHP files in wp-content/uploads/ or modified plugin and theme files without a corresponding administrator action.
- Anonymous requests with elevated payload sizes targeting the user listing AJAX endpoint.
Detection Strategies
- Inspect web server access logs for admin-ajax.php requests with the wppb_request_users_pins action originating from unauthenticated sessions.
- Apply web application firewall rules that flag PHP serialized object signatures inside POST bodies destined for WordPress AJAX endpoints.
- Monitor PHP error logs for class autoload failures or __wakeup() and __destruct() exceptions that indicate failed deserialization attempts.
- Compare installed Profile Builder Pro versions against 3.14.5 across the estate using software inventory tooling.
Monitoring Recommendations
- Forward WordPress, web server, and WAF logs into a centralized analytics platform for correlation against admin-ajax abuse patterns.
- Alert on outbound network connections initiated by the PHP-FPM or web server process to unfamiliar destinations.
- Track file integrity for wp-content/plugins, wp-content/themes, and wp-content/uploads to detect post-exploitation persistence.
How to Mitigate CVE-2026-7647
Immediate Actions Required
- Update Profile Builder Pro to a version above 3.14.5 as soon as the vendor publishes a patched release.
- Audit the WordPress installation for unauthorized administrator accounts, modified plugin files, and webshells under wp-content/.
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks where business requirements allow.
- Deploy a WAF rule that blocks POST requests containing PHP serialization tokens to the wppb_request_users_pins action.
Patch Information
No fixed version is identified in the available CVE data at the time of publication. Monitor the Wordfence Vulnerability Report and the Profile Builder Pro plugin repository for an updated release. Once available, apply the patch across all affected sites and confirm the version reported in the WordPress admin matches the fixed build.
Workarounds
- Temporarily deactivate the Profile Builder Pro plugin until a patched version is installed.
- Remove or disable the user listing add-on if the deployment does not require it.
- Add server-side rules that reject POST bodies containing serialized PHP object markers when targeting the vulnerable AJAX action.
- Place the WordPress site behind authenticated access controls for non-public deployments to reduce exposure of admin-ajax.php.
# Example WAF rule (ModSecurity) blocking PHP object injection on the vulnerable action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,deny,status:403,id:1026764701,msg:'CVE-2026-7647 PHP Object Injection attempt'"
SecRule ARGS:action "@streq wppb_request_users_pins" "chain"
SecRule ARGS:args "@rx ^(O|a|s|C):[0-9]+:" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
