Unauthorized Modification of Data in Website Builder Plugin for WordPress
CVE-2024-1072
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 5 February 2024
Summary
The Website Builder by SeedProd, especially its Theme Builder and various page-building functionalities, contains a vulnerability that allows unauthorized modification of data. This issue arises from a missing capability check in the seedprod_lite_new_lpage function, present in all versions up to and including 6.15.21. As a result, unauthenticated attackers can manipulate critical web content, including coming-soon, maintenance, login, and 404 pages. Although version 6.15.22 addresses this vulnerability, it inadvertently introduces a bug impacting the functionality of admin pages. Users are advised to upgrade to version 6.15.23 to mitigate security risks effectively.
Affected Version(s)
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode * <= 6.15.21
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved