CVE-2026-22490

Vulnerability

Overview The Bulk Landing Page Creator for WordPress plugin (LPagery) versions up to and including 2.4.9 contain a missing authorization vulnerability. The issue stems from incorrectly configured access control security levels, which allows an attacker to bypass intended permission checks. This type of flaw is classified as a broken access control vulnerability, where the plugin fails to properly verify that a user has the necessary privileges before performing sensitive actions [1].

Exploitation

An attacker can exploit this vulnerability without requiring authentication, as the missing authorization check does not enforce any privilege validation. The attack surface is broadens the surface for mass exploitation campaigns, as the plugin is widely used and the vulnerability can be triggered remotely. No special network position or user interaction is needed beyond sending a crafted request to a vulnerable site [1].

Impact

Successful exploitation allows an unprivileged user to perform actions that should be restricted to higher-privileged roles, such as administrators. This could lead to unauthorized creation, modification, or deletion of landing pages, potentially affecting site content and integrity. The CVSS. The CVSS v3 base score is 5.4 (Medium), indicating a moderate severity with potential for significant impact on confidentiality, integrity, and availability [1].

Mitigation

The vulnerability has been addressed in version 2.4.10 of the plugin. Users are strongly advised to update to this version or later immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins to ensure protection [1].