CVE-2026-24620 in Landing Page Builder Plugin
Summary
by MITRE • 01/23/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PluginOps Landing Page Builder page-builder-add allows Stored XSS.This issue affects Landing Page Builder: from n/a through <= 1.5.3.3.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/23/2026
The vulnerability identified as CVE-2026-24620 represents a critical cross-site scripting flaw within the PluginOps Landing Page Builder plugin, specifically affecting versions through 1.5.3.3. This weakness falls under the category of improper input neutralization during web page generation, creating a persistent security risk that enables attackers to inject malicious scripts into web pages viewed by other users. The vulnerability is classified as stored XSS, meaning that malicious code persists on the server and executes whenever affected pages are loaded, rather than requiring immediate user interaction with a malicious link.
The technical implementation of this flaw occurs within the page-builder-add component of the Landing Page Builder plugin, where user input is not properly sanitized or escaped before being rendered in web pages. This allows an attacker to submit malicious payloads through the plugin's interface that are then stored in the database and executed in the context of other users' browsers. The vulnerability stems from inadequate validation and output encoding practices that fail to neutralize potentially dangerous characters and script tags that could be interpreted by web browsers as executable code. This issue directly maps to CWE-79, which defines the improper neutralization of input during web page generation as a primary cause of cross-site scripting vulnerabilities.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to hijack user sessions, steal sensitive information, manipulate website content, and potentially escalate privileges within the affected system. An attacker could exploit this flaw to execute malicious scripts that steal cookies, redirect users to phishing sites, or modify content displayed to legitimate users. The stored nature of the vulnerability means that the malicious payloads remain active until manually removed from the database, creating a persistent threat that can affect multiple users over extended periods. This vulnerability is particularly concerning in environments where the plugin is used by administrators or privileged users, as it could potentially lead to complete system compromise.
Mitigation strategies for this vulnerability should include immediate patching of the affected plugin to version 1.5.3.4 or later, which contains the necessary input sanitization and output escaping mechanisms. Organizations should also implement comprehensive input validation measures that filter and escape all user-provided content before storage and rendering. Security practitioners should consider implementing content security policies to limit script execution and monitor for suspicious activity within the affected plugin's functionality. The vulnerability aligns with ATT&CK technique T1566.001, which covers the use of malicious content to execute code in web browsers, and represents a classic example of how inadequate input validation can create persistent security risks in web applications. Additionally, regular security audits of third-party plugins and maintaining up-to-date security patches should be prioritized to prevent similar vulnerabilities from being exploited in the future.