Lead Plus X plugin vulnerable to Cross-Site Request Forgery
CVE-2020-36839

8.3HIGH

Key Information:

Vendor: Wordpress
Status: WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X
Vendor: CVE Published:; 16 October 2024

Summary

The WP Lead Plus X plugin for WordPress features a Cross-Site Request Forgery vulnerability, primarily present in versions up to 0.99. This vulnerability arises from inadequate nonce validation across various functions, enabling potential attackers to exploit the flaw. By deceiving an authorized site administrator into clicking a malicious link, attackers can perform unauthorized administrative actions, including injecting harmful JavaScript or modifying site content without consent.

Affected Version(s)

WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X * <= 0.99

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.wordfence.com/blog/2020/04/critical-vulnerabi...

https://wordpress.org/plugins/free-sales-funnel-squeeze-p...

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

Ramuel Gall