CVE-2026-24620
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-04-01
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pluginops | landing_page_builder | to 1.5.3.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24620 is a Cross Site Scripting (XSS) vulnerability in the WordPress Landing Page Builder Plugin versions up to 1.5.3.3. It allows an attacker with a privileged user role (such as author or developer) to inject malicious scripts into web pages by actions like clicking a malicious link, visiting a crafted page, or submitting a form. These scripts then execute when site visitors access the affected pages, potentially causing redirects, displaying unwanted advertisements, or other malicious HTML payloads. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject and execute malicious scripts on your website, which can lead to unwanted redirects, display of malicious advertisements, or other harmful actions affecting your site visitors. However, exploitation requires a privileged user role and user interaction, and the overall severity is considered low with a CVSS score of 5.9. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your WordPress site is running the Landing Page Builder Plugin version 1.5.3.3 or earlier. Since it is a stored XSS vulnerability requiring user interaction and privileged roles, you can look for suspicious input fields or stored scripts in pages generated by the plugin. Specific commands are not provided in the resources, but you can use WordPress CLI commands such as 'wp plugin list' to check plugin versions and manual inspection of pages created with the plugin for injected scripts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting privileged user roles (authors, developers) from interacting with untrusted content, monitoring and sanitizing inputs on pages created with the Landing Page Builder plugin, and avoiding clicking on suspicious links or submitting untrusted forms. Since no official fix or patch is currently available, consider disabling or removing the vulnerable plugin until a patch is released. [1]