0.0
NA
CVE-2026-12409
Landing Page Builder <= 1.5.3.6 - Cross-Site Request Forgery to ulpb_admin_data AJAX Action
Description

The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.3.6. This is due to missing or incorrect nonce validation on the ulpb_admin_ajax function. This makes it possible for unauthenticated attackers to create, update, retitle, or change the post status, slug, and type of arbitrary posts and write ULPB_DATA post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This attack requires the victim to hold an editor-level or administrator session, as the wp_ajax_ulpb_admin_data action enforces a capability check that the forged request must satisfy by inheriting the logged-in user's session cookies.

INFO

Published Date :

July 16, 2026, 2:30 a.m.

Last Modified :

July 16, 2026, 2:30 a.m.

Remotely Exploit :

No

Source :

Wordfence
Affected Products

The following products are affected by CVE-2026-12409 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

Solution
Update the WordPress plugin to the latest version to fix Cross-Site Request Forgery.
  • Update the WordPress Landing Pages plugin to the latest version.
  • Ensure nonce validation is correctly implemented in the code.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-12409 vulnerability anywhere in the article.

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.