Skip to main content

Landing Page Builder CVE-2026-57337

| EUVDEUVD-2026-40108 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-29 Patchstack GHSA-77c2-57x5-fjmg
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network XSS (AV:N/PR:N) needing victim click (UI:R); browser-context script execution with scope change (S:C) and limited C/I/A impact (all Low).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 15:18 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Landing Page Builder <= 1.5.3.5 versions.

AnalysisAI

Cross-site scripting in the PluginOps Landing Page Builder WordPress plugin (versions <= 1.5.3.5) lets unauthenticated remote attackers inject script that executes in a victim's browser, with a scope change (S:C) indicating the payload can affect resources beyond the vulnerable component. The flaw requires victim interaction (UI:R) such as visiting a crafted link or page, and yields low-level confidentiality, integrity, and availability impact (CVSS 7.1). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious XSS payload/link
Delivery
Lure victim to vulnerable plugin page
Exploit
Unsanitized input rendered in browser
Execution
Execute arbitrary JavaScript in victim context
Impact
Steal session or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) but does require victim interaction (UI:R) - the target must visit an attacker-crafted page or click a malicious link that triggers the unsanitized input rendering in the PluginOps Landing Page Builder plugin (<= 1.5.3.5). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, no privileges required, but mandatory user interaction tempers automatability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL or input targeting the vulnerable Landing Page Builder endpoint and lures a victim - a site visitor or logged-in administrator - into visiting it. When the page renders the unsanitized input, attacker-controlled JavaScript executes in the victim's browser, enabling session/cookie theft, redirection, or actions performed as the victim; no public POC was provided in the input.
Remediation No vendor-released patch version is confirmed from the available input data; the advisory only establishes that versions <= 1.5.3.5 are affected, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/page-builder-add/vulnerability/wordpress-landing-page-builder-plugin-1-5-3-5-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for a release newer than 1.5.3.5 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress installations for PluginOps Landing Page Builder versions ≤1.5.3.5; disable the plugin immediately if discovered. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy