cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2022-47429,https://securityvulnerability.io/vulnerability/CVE-2022-47429,WordPress Coming Soon Landing Page and Maintenance Mode WordPress Plugin plugin <= 2.2.0 - Broken Access Control,"An authorization issue exists within the 8Degree Themes Coming Soon Landing Page and Maintenance Mode WordPress Plugin that can lead to the retrieval of embedded sensitive data. This vulnerability allows unauthorized users to access data that should be protected, thereby jeopardizing the security of WordPress sites utilizing this plugin. The vulnerability primarily affects versions prior to 2.2.0, highlighting the need for site administrators to update their plugins to safeguard against potential data breaches.",Wordpress,Coming Soon Landing Page And Maintenance Mode WordPress Plugin,5.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-13T14:23:15.535Z,0 CVE-2024-11366,https://securityvulnerability.io/vulnerability/CVE-2024-11366,Unauthenticated Attackers Can Inject Arbitrary Web Scripts through Reflected Cross-Site Scripting Flaw in SEO Landing Page Generator Plugin,"The SEO Landing Page Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.66.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,Seo Landing Page Generator,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-11-28T08:47:33.446Z,0 CVE-2024-9226,https://securityvulnerability.io/vulnerability/CVE-2024-9226,Reflected Cross-Site Scripting Vulnerability in Landing Page Cat Plugin,"The Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,"Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages",6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-11-09T03:18:13.352Z,0 CVE-2020-36839,https://securityvulnerability.io/vulnerability/CVE-2020-36839,Lead Plus X plugin vulnerable to Cross-Site Request Forgery,"The WP Lead Plus X plugin for WordPress features a Cross-Site Request Forgery vulnerability, primarily present in versions up to 0.99. This vulnerability arises from inadequate nonce validation across various functions, enabling potential attackers to exploit the flaw. By deceiving an authorized site administrator into clicking a malicious link, attackers can perform unauthorized administrative actions, including injecting harmful JavaScript or modifying site content without consent.",Wordpress,WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X,8.3,HIGH,0.0005099999834783375,false,,false,false,false,,,false,false,,2024-10-16T06:43:45.081Z,0 CVE-2023-4730,https://securityvulnerability.io/vulnerability/CVE-2023-4730,Unauthorized Data Modification Vulnerability in LadiApp WordPress Plug-in,"The LadiApp plugn for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init_endpoint() function hooked via 'init' in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to modify a variety of settings. An attacker can directly modify the 'ladipage_key' which enables them to create new posts on the website and inject malicious web scripts.",Wordpress,"Ladiapp: Landing Page, Popupx, Marketing Automation, Affiliate Marketing…",5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-08-17T07:34:23.344Z,0 CVE-2024-3961,https://securityvulnerability.io/vulnerability/CVE-2024-3961,Unauthorized Modification of Data in ConvertKit Plugin Due to Missing Capability Check,"The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded.",Wordpress,"Convertkit – Email Newsletter, Email Marketing, Subscribers And Landing Pages",5.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-06-21T03:49:00.260Z,0 CVE-2024-3555,https://securityvulnerability.io/vulnerability/CVE-2024-3555,Unauthorized Access Vulnerability in Link-in-Bio Landing Pages Plugin,"The Social Link Pages plugin for WordPress is susceptible to unauthorized access due to a missing capability check on the import_link_pages() function. This vulnerability affects all versions up to and including 1.6.9, allowing unauthenticated attackers to exploit the flaw and inject arbitrary pages and malicious web scripts. As a result, it poses a significant risk for WordPress sites utilizing this plugin.",Wordpress,Social Link Pages: Link-in-bio Landing Pages For Your Social Media Profiles,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-06-04T05:32:12.848Z,0 CVE-2024-1793,https://securityvulnerability.io/vulnerability/CVE-2024-1793,"AWeber Plugin Vulnerable to SQL Injection, Puts Sensitive Data at Risk","The AWeber – Free Sign Up Form and Landing Page Builder Plugin for WordPress is susceptible to a SQL Injection vulnerability through the 'post_id' parameter. This issue arises from inadequate escaping of user-supplied parameters and insufficient preparation in the SQL query. Authenticated attackers with administrator-level access can exploit this weakness to inject additional SQL commands into existing queries, potentially accessing and extracting sensitive information from the database, thereby compromising the security of users' data and the integrity of the application.",Wordpress,Aweber – Free Sign Up Form And Landing Page Builder Plugin For Lead Generation And Email Newsletter Growth,7.2,HIGH,0.0004400000034365803,false,,false,false,false,,,false,false,,2024-03-13T15:27:24.266Z,0 CVE-2023-6880,https://securityvulnerability.io/vulnerability/CVE-2023-6880,Stored Cross-Site Scripting Vulnerability in Visual Composer Plugin for WordPress,"The Visual Composer plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability caused by inadequate input sanitization and output escaping. This affects all versions up to 45.6.0, allowing authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts. These injected scripts will execute whenever users access the compromised pages, potentially hijacking sessions, defacing websites, or spreading malware. Website administrators must ensure they upgrade to the latest version and implement proper input validation measures to safeguard against this vulnerability.",Wordpress,"Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages",5.4,MEDIUM,0.0004799999878741801,false,,false,false,false,,,false,false,,2024-03-13T15:26:52.043Z,0 CVE-2023-4629,https://securityvulnerability.io/vulnerability/CVE-2023-4629,Cross-Site Request Forgery Vulnerability in LadiApp Plugin for WordPress,"The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the save_config() function in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to update the 'ladipage_config' option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",Wordpress,"Ladiapp: Landing Page, Popupx, Marketing Automation, Affiliate Marketing…",4.3,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-03-12T09:33:57.201Z,0 CVE-2023-4729,https://securityvulnerability.io/vulnerability/CVE-2023-4729,LadiApp Plugin Vulnerable to Cross-Site Request Forgery,"The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",Wordpress,"Ladiapp: Landing Page, Popupx, Marketing Automation, Affiliate Marketing…",4.3,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-03-12T09:33:56.755Z,0 CVE-2023-4627,https://securityvulnerability.io/vulnerability/CVE-2023-4627,Unauthorized Modification of Data Vulnerability in LadiApp Plugin for WordPress,"The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_config() function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update the 'ladipage_config' option.",Wordpress,"Ladiapp: Landing Page, Popupx, Marketing Automation, Affiliate Marketing…",4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-03-12T09:33:56.315Z,0 CVE-2023-4728,https://securityvulnerability.io/vulnerability/CVE-2023-4728,Unauthorized modification of data in LadiApp plugin for WordPress due to missing capability check,"The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS",Wordpress,"Ladiapp: Landing Page, Popupx, Marketing Automation, Affiliate Marketing…",5.4,MEDIUM,0.0004799999878741801,false,,false,false,false,,,false,false,,2024-03-12T09:33:55.846Z,0 CVE-2023-4626,https://securityvulnerability.io/vulnerability/CVE-2023-4626,Unauthorized Modification of Data Vulnerability in LadiApp Plugin for WordPress,"The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ladiflow_save_hook() function in versions up to, and including, 4.3. This makes it possible for authenticated attackers with subscriber-level access and above to update the 'ladiflow_hook_configs' option.",Wordpress,"Ladiapp: Landing Page, Popupx, Marketing Automation, Affiliate Marketing…",4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-03-12T09:33:55.378Z,0 CVE-2023-4731,https://securityvulnerability.io/vulnerability/CVE-2023-4731,Cross-Site Request Forgery Vulnerability in LadiApp WordPress Plug-in,"The LadiApp plugn for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the init_endpoint() function hooked via 'init' in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to modify a variety of settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. An attacker can directly modify the 'ladipage_key' which enables them to create new posts on the website and inject malicious web scripts,",Wordpress,"Ladiapp: Landing Page, Popupx, Marketing Automation, Affiliate Marketing…",4.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-03-12T09:33:54.929Z,0 CVE-2023-4628,https://securityvulnerability.io/vulnerability/CVE-2023-4628,LadiApp Plugin Vulnerable to Cross-Site Request Forgery,"The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ladiflow_save_hook() function in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to update the 'ladiflow_hook_configs' option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",Wordpress,"Ladiapp: Landing Page, Popupx, Marketing Automation, Affiliate Marketing…",4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-03-12T09:33:54.384Z,0 CVE-2024-0708,https://securityvulnerability.io/vulnerability/CVE-2024-0708,Unauthenticated Attackers Can Access Sensitive Information on Landing Pages,"The Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to access landing pages that may not be public.",Wordpress,"Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages",5.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-02-15T06:48:47.097Z,0 CVE-2024-1072,https://securityvulnerability.io/vulnerability/CVE-2024-1072,Unauthorized Modification of Data in Website Builder Plugin for WordPress,"The Website Builder by SeedProd, especially its Theme Builder and various page-building functionalities, contains a vulnerability that allows unauthorized modification of data. This issue arises from a missing capability check in the seedprod_lite_new_lpage function, present in all versions up to and including 6.15.21. As a result, unauthenticated attackers can manipulate critical web content, including coming-soon, maintenance, login, and 404 pages. Although version 6.15.22 addresses this vulnerability, it inadvertently introduces a bug impacting the functionality of admin pages. Users are advised to upgrade to version 6.15.23 to mitigate security risks effectively.",Wordpress,"Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode",7.5,HIGH,0.0005600000149570405,false,,false,false,false,,,false,false,,2024-02-05T21:21:50.961Z,0 CVE-2023-7019,https://securityvulnerability.io/vulnerability/CVE-2023-7019,Unauthorized Data Modification in LightStart Plugin for WordPress,"The LightStart – Maintenance Mode, Coming Soon and Landing Page Builder plugin for WordPress has a security flaw that enables authenticated users, including those with subscriber-level access, to modify page designs. This issue arises from a missing capability check in the insert_template function, exposing the plugin to potential unauthorized data alterations across all versions up to and including 2.6.8.",Wordpress,"LightStart – Maintenance Mode, Coming Soon and Landing Page Builder",4.3,MEDIUM,0.0004799999878741801,false,,false,false,false,,,false,false,,2024-01-11T08:32:53.047Z,0 CVE-2023-48325,https://securityvulnerability.io/vulnerability/CVE-2023-48325,WordPress Landing Page Builder Plugin <= 1.5.1.5 is vulnerable to Open Redirection,"URL Redirection to Untrusted Site ('Open Redirect') vulnerability in PluginOps Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages.This issue affects Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages: from n/a through 1.5.1.5. ",Wordpress,Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages,4.7,MEDIUM,0.0005000000237487257,false,,false,false,false,,,false,false,,2023-12-07T12:15:00.000Z,0 CVE-2020-36722,https://securityvulnerability.io/vulnerability/CVE-2020-36722,Cross-Site Scripting Vulnerability in Visual Composer Plugin for WordPress,"The Visual Composer plugin for WordPress, in its versions up to and including 26.0, has a vulnerability that allows attackers to exploit insufficient input sanitization and output escaping. This Cross-Site Scripting (XSS) issue can let attackers inject malicious web scripts that run in the browser of unwitting users, potentially leading to data theft or unauthorized actions on the affected site. Website owners using this plugin should apply the necessary patches and updates to safeguard against such threats.",Wordpress,"Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages",5.5,MEDIUM,0.0016899999463930726,false,,false,false,false,,,false,false,,2023-06-07T01:51:42.848Z,0 CVE-2015-10090,https://securityvulnerability.io/vulnerability/CVE-2015-10090,Landing Pages Plugin cross site scripting,"A vulnerability, which was classified as problematic, has been found in Landing Pages Plugin up to 1.8.7 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.8.8 is able to address this issue. The name of the patch is c8e22c1340c11fedfb0a0a67ea690421bdb62b94. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222320.",Wordpress,Landing Pages Plugin,3.5,LOW,0.0014900000533089042,false,,false,false,false,,,false,false,,2023-03-06T00:15:00.000Z,0 CVE-2022-4718,https://securityvulnerability.io/vulnerability/CVE-2022-4718,Landing Page Builder < 1.4.9.9 - Contributor+ Cross-Site Scripting via Shortcode,"The Landing Page Builder WordPress plugin before 1.4.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.",Wordpress,Landing Page Builder,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2023-01-23T14:32:00.887Z,0 CVE-2021-25067,https://securityvulnerability.io/vulnerability/CVE-2021-25067,Landing Page Builder < 1.4.9.6 - Authenticated Reflected Cross-Site Scripting (XSS),The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page.,Wordpress,Landing Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages,5.4,MEDIUM,0.002050000010058284,false,,false,false,false,,,false,false,,2022-01-17T13:00:41.000Z,0 CVE-2015-5227,https://securityvulnerability.io/vulnerability/CVE-2015-5227,,The Landing Pages plugin before 1.9.2 for WordPress allows remote attackers to execute arbitrary code via the url parameter.,Wordpress,WordPress Landing Pages,8.8,HIGH,0.024800000712275505,false,,false,false,false,,,false,false,,2017-10-18T20:00:00.000Z,0