Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attacker needs no privileges (PR:N); victim must actively click a crafted link (UI:R); impact is limited to post content integrity with no confidentiality or availability breach.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Landing Page Builder - Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.3.6. This is due to missing or incorrect nonce validation on the ulpb_admin_ajax function. This makes it possible for unauthenticated attackers to create, update, retitle, or change the post status, slug, and type of arbitrary posts and write ULPB_DATA post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This attack requires the victim to hold an editor-level or administrator session, as the wp_ajax_ulpb_admin_data action enforces a capability check that the forged request must satisfy by inheriting the logged-in user's session cookies.
AnalysisAI
Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim hold an active WordPress session with editor-level or administrator-level privileges at the moment they interact with the attacker-controlled content - the wp_ajax_ulpb_admin_data action enforces a capability check that the forged request satisfies only by inheriting the logged-in user's session cookies. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.3 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N accurately reflects a bounded risk: the attack is network-reachable with low complexity, but mandates active user interaction (UI:R) and produces only limited integrity impact with no confidentiality or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a domain and hosts a page containing a hidden HTML form that auto-submits a POST request to the target WordPress site's admin-ajax.php endpoint, invoking the wp_ajax_ulpb_admin_data action with attacker-controlled post parameters. The attacker then sends a phishing email to a known WordPress editor or administrator of the target site with a compelling pretext (e.g., 'click here to preview your new landing page'), and when the victim clicks while authenticated, their browser silently submits the forged form, causing the plugin to create or modify posts as if the administrator had done so legitimately. … |
| Remediation | The upstream fix is available as changeset 3444409 in the WordPress plugin SVN repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3444409%40page-builder-add&new=3444409%40page-builder-add), which addresses the missing nonce validation in ajax-requests-class.php. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44858
GHSA-fx4r-pqvc-gggc