PT-2026-60397 · WordPress · Landing Page Builder
M.Fahad Khan
·
Published
2026-07-16
·
Updated
2026-07-16
·
CVE-2026-12409
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages versions prior to 1.5.3.7
Description
Cross-Site Request Forgery occurs due to missing or incorrect nonce validation in the
ulpb admin ajax() function. This allows unauthenticated attackers to create, update, retitle, or change the post status, slug, and type of arbitrary posts, as well as write ULPB DATA post meta through a forged request. The attack requires a victim with editor-level or administrator privileges to perform an action, such as clicking a link, because the wp ajax ulpb admin data action requires a capability check satisfied by the logged-in user's session cookies.Recommendations
Update to version 1.5.3.7 or later.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Landing Page Builder