Skip to main content

Landing Page Builder Coming Soon Page Maintenance Mode Lead Page Wordpress Landing Pages

1 CVEs product

Monthly

CVE-2026-12409 MEDIUM This Month

Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified; EPSS data was not provided in available intelligence.

CSRF WordPress Landing Page Builder Coming Soon Page Maintenance Mode Lead Page Wordpress Landing Pages
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified; EPSS data was not provided in available intelligence.

CSRF WordPress Landing Page Builder Coming Soon Page Maintenance Mode Lead Page Wordpress Landing Pages
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy