Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in raratheme Construction Landing Page construction-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Landing Page: from n/a through <= 1.4.1.
AnalysisAI
The Construction Landing Page plugin through version 1.4.1 contains a missing authorization vulnerability that allows unauthenticated attackers to modify data through improperly configured access controls. An attacker can exploit this flaw to perform unauthorized changes to the application without authentication or user interaction. No patch is currently available for this vulnerability.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a common weakness where access control checks are either absent or improperly implemented. The raratheme Construction Landing Page plugin, identifiable via CPE string cpe:2.3:a:raratheme:construction-landing-page, fails to enforce proper authorization checks before allowing state-changing operations. This typically manifests in WordPress plugins as missing nonce verification, absent capability checks (wp_verify_nonce, current_user_can), or exposed REST API endpoints without proper permission callbacks. The issue affects the plugin architecture itself rather than a third-party library, indicating flawed security implementation in the plugin's core functionality handlers.
RemediationAI
Immediately upgrade the raratheme Construction Landing Page plugin to the latest patched version (1.4.2 or higher) available from WordPress.org or the vendor's official repository. Verify the upgrade via the plugin management dashboard and confirm the version string has incremented. As a temporary measure before patching is feasible, restrict plugin functionality by disabling the plugin entirely if non-critical, or implement Web Application Firewall (WAF) rules to block suspicious state-change requests to the plugin's endpoints. Additionally, audit user roles and remove unnecessary editor/administrator permissions from untrusted accounts, and enable security monitoring to detect unusual modification activities on affected sites.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11818