Cross-Site Request Forgery Vulnerability in Landing Page Builder Plugin for WordPress
CVE-2026-12409
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 16 July 2026
What is CVE-2026-12409?
The Landing Page Builder plugin for WordPress contains a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in the ulpb_admin_ajax function. This flaw allows unauthenticated attackers to exploit the plugin by tricking an administrator into executing malicious requests. This could lead to unauthorized changes to posts, including updates, retitling, and modifications to post statuses and meta data. To exploit this weakness, the attacker must manipulate the site's editor-level or administrator session, as certain actions require a valid user session to bypass capability checks.
Affected Version(s)
Landing Page Builder β Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages 0 <= 1.5.3.6