Landing Pages Plugin cross site scripting
Description
A vulnerability, which was classified as problematic, has been found in Landing Pages Plugin up to 1.8.7 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.8.8 is able to address this issue. The name of the patch is c8e22c1340c11fedfb0a0a67ea690421bdb62b94. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222320.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: 1.8.0
Patches
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize user-supplied input before rendering it on the page, leading to cross-site scripting."
Attack vector
An attacker can exploit this vulnerability by injecting malicious scripts into fields that are not properly sanitized. This can occur remotely, allowing an attacker to craft a URL or input that, when processed by the plugin, executes arbitrary JavaScript in the victim's browser. The vulnerability is present in versions up to 1.8.8 [ref_id=1].
Affected code
The vulnerability is related to the handling of user input within the Landing Pages plugin. The commit associated with the patch, `c8e22c1340c11fedfb0a0a67ea690421bdb62b94`, targets the `Landing_Pages_Load_Extensions` class, indicating that the issue lies within the extension loading and data processing functionalities of the plugin [ref_id=1].
What the fix does
The patch addresses the vulnerability by sanitizing user input. Specifically, the commit modifies how data is handled within the `Landing_Pages_Load_Extensions` class, ensuring that potentially harmful characters are neutralized before being displayed. This prevents the injection and execution of malicious scripts, thereby mitigating the cross-site scripting risk [patch_id=4375407].
Preconditions
- configThe Landing Pages plugin must be installed and active.
- inputThe attacker must be able to provide unsanitized input to the plugin.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/wp-plugins/landing-pages/commit/c8e22c1340c11fedfb0a0a67ea690421bdb62b94mitrepatch
- github.com/wp-plugins/landing-pages/releases/tag/1.8.8mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.