PT-2026-60397 · WordPress · Landing Page Builder

M.Fahad Khan

·

Published

2026-07-16

·

Updated

2026-07-16

·

CVE-2026-12409

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages versions prior to 1.5.3.7
Description Cross-Site Request Forgery occurs due to missing or incorrect nonce validation in the ulpb admin ajax() function. This allows unauthenticated attackers to create, update, retitle, or change the post status, slug, and type of arbitrary posts, as well as write ULPB DATA post meta through a forged request. The attack requires a victim with editor-level or administrator privileges to perform an action, such as clicking a link, because the wp ajax ulpb admin data action requires a capability check satisfied by the logged-in user's session cookies.
Recommendations Update to version 1.5.3.7 or later.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12409

Affected Products

Landing Page Builder