Cross-Site Request Forgery Vulnerability in Landing Page Builder Plugin for WordPress
CVE-2026-12409

4.3MEDIUM

What is CVE-2026-12409?

The Landing Page Builder plugin for WordPress contains a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in the ulpb_admin_ajax function. This flaw allows unauthenticated attackers to exploit the plugin by tricking an administrator into executing malicious requests. This could lead to unauthorized changes to posts, including updates, retitling, and modifications to post statuses and meta data. To exploit this weakness, the attacker must manipulate the site's editor-level or administrator session, as certain actions require a valid user session to bypass capability checks.

Affected Version(s)

Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages 0 <= 1.5.3.6

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

M.Fahad Khan
.