CVE-2026-24620

Vulnerability

Overview

The Landing Page Builder plugin for WordPress (versions up to and including 1.5.3.4) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows an authenticated attacker with sufficient-privilege user to inject arbitrary HTML and JavaScript code, including JavaScript, which is then stored and executed when other users visit the affected page.

Exploitation

Conditions

Exploitation requires a user with at least the role specified in the plugin's settings (typically an editor or administrator) to submit crafted input. The attacker does not need direct access to the server; they can deliver the payload through the plugin's interface. Successful exploitation also requires a privileged user to perform an action such as clicking a link or submitting a form, making it a stored XSS with user interaction [1].

Impact

An attacker can inject malicious scripts that execute in the context of any visitor's browser. This can lead to redirection to malicious sites, display of unauthorized advertisements, theft of session cookies, or other client-side attacks. The vulnerability is rated Medium (CVSS 5.9) and is known to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has released version 1.5.3.5 which resolves the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consulting a hosting provider or web developer is recommended [1].