CVE-2024-1072: CWE-862 Missing Authorization in seedprod Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the seedprod_lite_new_lpage function in all versions up to, and including, 6.15.21. This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin. Version 6.15.22 addresses this issue but introduces a bug affecting admin pages. We suggest upgrading to 6.15.23.
AI Analysis
Technical Summary
The vulnerability CVE-2024-1072 in the SeedProd Website Builder plugin arises from a missing capability check in the seedprod_lite_new_lpage function. This flaw permits unauthenticated attackers to alter page content for coming-soon, maintenance, login, and 404 pages configured via the plugin. The issue affects all versions up to 6.15.21. Although version 6.15.22 patched the authorization bypass, it introduced a bug impacting admin pages. The subsequent release, 6.15.23, resolves both the authorization vulnerability and the admin page bug. The CVSS 3.1 base score is 8.2, indicating high severity with network attack vector, no privileges required, no user interaction, and high impact on integrity with low impact on availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to modify the content of critical pages such as coming-soon, maintenance, login, and 404 pages on affected WordPress sites using the SeedProd plugin. This can lead to unauthorized content changes, potentially misleading visitors or disrupting site operations. There is no direct confidentiality impact reported. The vulnerability has a high integrity impact and low availability impact. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
A fix is available. Users should upgrade the Website Builder by SeedProd plugin to version 6.15.23, which addresses the missing authorization check and resolves the admin page bug introduced in version 6.15.22. Applying this update is the recommended remediation. Patch status is confirmed by the vendor's versioning information. No additional mitigations are specified or required beyond upgrading to the fixed version.
CVE-2024-1072: CWE-862 Missing Authorization in seedprod Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode
Description
The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the seedprod_lite_new_lpage function in all versions up to, and including, 6.15.21. This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin. Version 6.15.22 addresses this issue but introduces a bug affecting admin pages. We suggest upgrading to 6.15.23.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2024-1072 in the SeedProd Website Builder plugin arises from a missing capability check in the seedprod_lite_new_lpage function. This flaw permits unauthenticated attackers to alter page content for coming-soon, maintenance, login, and 404 pages configured via the plugin. The issue affects all versions up to 6.15.21. Although version 6.15.22 patched the authorization bypass, it introduced a bug impacting admin pages. The subsequent release, 6.15.23, resolves both the authorization vulnerability and the admin page bug. The CVSS 3.1 base score is 8.2, indicating high severity with network attack vector, no privileges required, no user interaction, and high impact on integrity with low impact on availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to modify the content of critical pages such as coming-soon, maintenance, login, and 404 pages on affected WordPress sites using the SeedProd plugin. This can lead to unauthorized content changes, potentially misleading visitors or disrupting site operations. There is no direct confidentiality impact reported. The vulnerability has a high integrity impact and low availability impact. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
A fix is available. Users should upgrade the Website Builder by SeedProd plugin to version 6.15.23, which addresses the missing authorization check and resolves the admin page bug introduced in version 6.15.22. Applying this update is the recommended remediation. Patch status is confirmed by the vendor's versioning information. No additional mitigations are specified or required beyond upgrading to the fixed version.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-30T15:10:49.992Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6d1eb7ef31ef0b56e1c7
Added to database: 2/25/2026, 9:43:58 PM
Last enriched: 4/9/2026, 1:28:25 PM
Last updated: 4/12/2026, 5:08:29 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.