Skip to main content

Landing Page Builder CVE-2026-12409

| EUVDEUVD-2026-44858 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-16 Wordfence GHSA-fx4r-pqvc-gggc
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Attacker needs no privileges (PR:N); victim must actively click a crafted link (UI:R); impact is limited to post content integrity with no confidentiality or availability breach.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 03:46 vuln.today
CVE Published
Jul 16, 2026 - 02:30 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Landing Page Builder - Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.3.6. This is due to missing or incorrect nonce validation on the ulpb_admin_ajax function. This makes it possible for unauthenticated attackers to create, update, retitle, or change the post status, slug, and type of arbitrary posts and write ULPB_DATA post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This attack requires the victim to hold an editor-level or administrator session, as the wp_ajax_ulpb_admin_data action enforces a capability check that the forged request must satisfy by inheriting the logged-in user's session cookies.

AnalysisAI

Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious page with hidden CSRF form
Delivery
Delivers phishing link to WordPress editor or administrator
Exploit
Victim clicks link while authenticated in WordPress
Execution
Browser auto-submits forged POST to admin-ajax.php with wp_ajax_ulpb_admin_data
Persist
Missing nonce check bypassed; capability check satisfied via inherited session cookies
Impact
ulpb_admin_ajax creates or modifies arbitrary posts and ULPB_DATA post meta

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim hold an active WordPress session with editor-level or administrator-level privileges at the moment they interact with the attacker-controlled content - the wp_ajax_ulpb_admin_data action enforces a capability check that the forged request satisfies only by inheriting the logged-in user's session cookies. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N accurately reflects a bounded risk: the attack is network-reachable with low complexity, but mandates active user interaction (UI:R) and produces only limited integrity impact with no confidentiality or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a domain and hosts a page containing a hidden HTML form that auto-submits a POST request to the target WordPress site's admin-ajax.php endpoint, invoking the wp_ajax_ulpb_admin_data action with attacker-controlled post parameters. The attacker then sends a phishing email to a known WordPress editor or administrator of the target site with a compelling pretext (e.g., 'click here to preview your new landing page'), and when the victim clicks while authenticated, their browser silently submits the forged form, causing the plugin to create or modify posts as if the administrator had done so legitimately. …
Remediation The upstream fix is available as changeset 3444409 in the WordPress plugin SVN repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3444409%40page-builder-add&new=3444409%40page-builder-add), which addresses the missing nonce validation in ajax-requests-class.php. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12409 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy