LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 – Missing Authorization on publish_lp() | CVE 2023-4728 | Plugin Vulnerabilities

Description

The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to change the LadiPage key (a key fully controlled by the attacker), enabling them to freely create new pages, including web pages that trigger stored XSS

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6dafc81c-f1be-422d-b34f-87f1956e8849

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

GiongfNef

Verified

No

WPVDB ID

14f2bc81-337d-4ffd-8ef6-a42a73f0e8cb

Timeline

Publicly Published

2024-03-11 (about 2 years ago)

Added

2024-03-11 (about 2 years ago)

Last Updated

2024-03-11 (about 2 years ago)

Other

Published

Title

Published

2025-12-11

Title

Flow-Flow Social Feed Stream 3.0.0 - 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via flow_flow_social_auth AJAX action

Published

2022-08-06

Title

ActiveDEMAND plugin < 0.2.28 - Unauthenticated Post Creation/Update/Deletion

Published

2025-12-13

Title

Ultimate Addons for Contact Form 7 < 3.5.35 - Missing Authorization

Published

2025-08-12

Title

Membership For WooCommerce < 3.0.0 - Missing Authorization

Published

2025-10-03

Title

Integrate Dynamics 365 CRM < 1.1.0 - Missing Authorization