WordPress Plugin Vulnerabilities

Website Builder by SeedProd < 6.18.16 - Subscriber+ Sensitive Information Exposure

Description

The plugin is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions.

Affects Plugins

Plugin icon
coming-soon
Fixed in 6.18.16

References

CVE
CVE-2025-3949
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/669b0f30-8958-420c-93c5-0103b71967dd

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
2ca52e48-b320-4496-bac8-cc5ff973ff56

Timeline

Publicly Published
2025-05-08 (about 1 year ago)
Added
2025-05-12 (about 1 year ago)
Last Updated
2025-05-12 (about 1 year ago)

Other

Published
Title
Published
2024-12-05
Title
Ultimate Coming Soon & Maintenance < 1.1.0 - Subscriber+ Template Name Update
Published
2026-01-14
Title
Raptive Ads <= 3.10.0 - Missing Authorization
Published
2023-12-06
Title
System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_global_value)
Published
2025-06-19
Title
User Roles and Capabilities <= 1.2.6 - Missing Authorization
Published
2024-04-12
Title
Ivory Search – WordPress Search Plugin < 5.5.6 - Subscriber+ Index Creation