Landing Page Builder Coming Soon Page Maintenance Mode Lead Page Wordpress Landing Pages
Monthly
Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified; EPSS data was not provided in available intelligence.
Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified; EPSS data was not provided in available intelligence.