CVE-2026-12409 in Landing Page Builder Plugin
Summary
by MITRE • 07/16/2026
The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.3.6. This is due to missing or incorrect nonce validation on the ulpb_admin_ajax function. This makes it possible for unauthenticated attackers to create, update, retitle, or change the post status, slug, and type of arbitrary posts and write ULPB_DATA post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This attack requires the victim to hold an editor-level or administrator session, as the wp_ajax_ulpb_admin_data action enforces a capability check that the forged request must satisfy by inheriting the logged-in user's session cookies.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
This cross-site request forgery vulnerability affects the Landing Page Builder plugin for WordPress, specifically versions up to and including 1536. The flaw exists within the ulpb_admin_ajax function which lacks proper nonce validation mechanisms. A nonce is a unique number generated for each user session that ensures requests originate from legitimate sources within the application. Without this protection, malicious actors can construct forged requests that appear to come from authenticated users.
The vulnerability stems from insufficient input validation and authentication checks within the plugin's administrative AJAX handling. When an administrator performs actions through the WordPress interface, their session cookies are automatically included in subsequent requests, allowing attackers to potentially manipulate the targeted posts. The ulpb_admin_data action enforces capability checks that require editor-level or administrator privileges, meaning the forged requests must inherit valid session credentials from legitimate users.
Attackers can exploit this vulnerability by crafting malicious requests that modify arbitrary posts within the WordPress installation. The compromised functionality allows for creating new posts, updating existing content, changing post titles, modifying post status, altering slugs, and changing post types through the ULPB_DATA post meta. This gives attackers significant control over website content and structure, potentially enabling them to inject malicious code or redirect traffic.
The impact of this vulnerability extends beyond simple content manipulation as it can compromise entire websites when combined with other attack vectors. Attackers could leverage this weakness to gain persistent access to WordPress installations by modifying critical posts or creating backdoors through legitimate administrative interfaces. The vulnerability affects any WordPress site using the affected plugin version and requires no authentication from the attacker's perspective, making it particularly dangerous in environments where administrators frequently visit external websites.
Organizations should immediately update to the latest plugin version that addresses this nonce validation issue. System administrators should also monitor for suspicious activities in their WordPress installations and implement additional security measures such as two-factor authentication and regular security audits. The vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery weaknesses in web applications. This type of vulnerability commonly appears in the ATT&CK framework under the privilege escalation and persistence categories, making it a significant concern for cybersecurity professionals responsible for WordPress security management.
The technical flaw represents a fundamental breakdown in the plugin's security architecture where proper session validation mechanisms were not implemented. Modern security practices require that all administrative actions be protected by robust authentication tokens that cannot be easily forged or reused across different sessions. The absence of these protections in the ulpb_admin_ajax function creates an exploitable gap that attackers can leverage to perform unauthorized modifications to WordPress content management systems.