CVE-2026-12409 Overview
CVE-2026-12409 is a Cross-Site Request Forgery (CSRF) vulnerability in the Landing Page Builder WordPress plugin, which also markets itself as Coming Soon page, Maintenance Mode, Lead Page, and WordPress Landing Pages. The flaw exists in all versions up to and including 1.5.3.6 and results from missing or incorrect nonce validation on the ulpb_admin_ajax function. Attackers who trick an authenticated editor or administrator into loading a crafted page can create, update, retitle, or change the post status, slug, and type of arbitrary posts, and write ULPB_DATA post meta. The issue is tracked under CWE-352.
Critical Impact
Unauthenticated attackers can manipulate arbitrary WordPress posts and post metadata by tricking an editor or administrator into clicking a crafted link, leading to content tampering and potential defacement of the site.
Affected Products
- Landing Page Builder WordPress plugin (also known as Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages)
- All versions up to and including 1.5.3.6
- WordPress sites with the plugin active and privileged user sessions
Discovery Timeline
- 2026-07-16 - CVE-2026-12409 published to the National Vulnerability Database (NVD)
- 2026-07-16 - Last updated in the NVD database
Technical Details for CVE-2026-12409
Vulnerability Analysis
The vulnerability resides in the plugin's administrative AJAX handler ulpb_admin_ajax, registered through the wp_ajax_ulpb_admin_data action. This handler performs a capability check to confirm that the requester has editor or administrator privileges, but it does not verify a WordPress nonce tied to the request. Because nonces are the standard anti-CSRF token mechanism in WordPress, their absence allows a forged request to inherit the victim's authenticated session cookies and satisfy the capability check without proof of user intent.
Once the forged request is processed, the plugin performs privileged post operations, including creation, updating, retitling, and changes to the post status, slug, and type of arbitrary posts. The handler also writes to the ULPB_DATA post meta field, giving attackers a mechanism to inject arbitrary landing page metadata into any post.
Root Cause
The root cause is a missing or incorrect nonce validation call inside the ulpb_admin_ajax handler in admin/classes/ajax-requests-class.php. WordPress plugins are expected to call check_ajax_referer() or wp_verify_nonce() before executing state-changing operations. Without that check, the AJAX endpoint trusts any authenticated browser session, which is the exact condition CSRF exploits.
Attack Vector
Exploitation requires user interaction from a victim who holds an editor or administrator session on the target WordPress site. An attacker crafts a page containing an auto-submitting form or scripted request pointing at the vulnerable admin-ajax.php endpoint. When the privileged user visits the page, the browser sends the request with their authenticated cookies, and the plugin executes the requested post modification. See the Wordfence Vulnerability Analysis and the WordPress Plugin Code Snippet for the vulnerable handler location.
No verified proof-of-concept code has been published. The vulnerability mechanism is a standard WordPress AJAX CSRF pattern: a forged request to /wp-admin/admin-ajax.php with action=ulpb_admin_data and attacker-controlled post parameters, delivered while the victim is authenticated.
Detection Methods for CVE-2026-12409
Indicators of Compromise
- Unexpected POST requests to /wp-admin/admin-ajax.php with the parameter action=ulpb_admin_data originating from external Referer headers.
- Newly created, retitled, or reslugged posts that administrators do not recognize, especially with modified post types or statuses.
- Unexplained presence or modification of the ULPB_DATA post meta key on posts that are not landing pages.
Detection Strategies
- Review WordPress access logs for admin-ajax.php calls to the ulpb_admin_data action where the Referer header points outside the site's own domain.
- Compare recent post revisions and audit trails for status, slug, or type changes that do not correlate with legitimate editor activity.
- Alert on modifications to the wp_postmeta table where meta_key = 'ULPB_DATA' outside normal editorial workflows.
Monitoring Recommendations
- Enable a WordPress activity logging plugin to capture user-initiated post edits and correlate them with the responsible session.
- Forward WordPress and web server logs to a centralized SIEM or data lake for cross-site correlation of CSRF patterns.
- Monitor for administrator accounts browsing external URLs immediately before unexplained post changes appear.
How to Mitigate CVE-2026-12409
Immediate Actions Required
- Update the Landing Page Builder plugin to a version later than 1.5.3.6 as soon as the vendor publishes a fixed release.
- Audit all recent post creations, edits, and ULPB_DATA post meta changes to identify any unauthorized modifications.
- Instruct editors and administrators to log out of WordPress sessions before browsing untrusted sites and links.
Patch Information
All versions of the Landing Page Builder plugin up to and including 1.5.3.6 are affected. Administrators should monitor the WordPress Plugin Changeset and the Wordfence advisory for the fixed version and apply it through the WordPress plugin updater once available.
Workarounds
- Deactivate and remove the Landing Page Builder plugin until a patched version is installed.
- Restrict administrative access to WordPress using IP allowlisting on /wp-admin/ and /wp-admin/admin-ajax.php at the web server or WAF layer.
- Deploy a Web Application Firewall rule that blocks requests to admin-ajax.php with action=ulpb_admin_data when the Referer header is missing or does not match the site's own origin.
# Example nginx snippet to require same-origin Referer for the vulnerable AJAX action
location = /wp-admin/admin-ajax.php {
if ($arg_action = "ulpb_admin_data") {
set $csrf_block "1";
}
if ($http_referer !~* "^https?://your-site\.example/") {
set $csrf_block "${csrf_block}1";
}
if ($csrf_block = "11") {
return 403;
}
include fastcgi_params;
fastcgi_pass php-fpm;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

