CVE-2020-36839
📋 TL;DR
The WP Lead Plus X WordPress plugin has a Cross-Site Request Forgery vulnerability that allows unauthenticated attackers to trick administrators into performing malicious actions. Attackers can add pages or inject malicious JavaScript into websites by getting administrators to click malicious links. All WordPress sites using WP Lead Plus X version 0.99 or earlier are affected.
💻 Affected Systems
- WP Lead Plus X WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover through administrative actions, content defacement, malware injection, and credential theft via malicious JavaScript.
Likely Case
Site defacement, SEO spam injection, or redirection to malicious sites through unauthorized page creation.
If Mitigated
Limited impact if administrators use CSRF tokens, security plugins, or avoid clicking suspicious links.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators into clicking malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.0 or later
Vendor Advisory: https://wordpress.org/plugins/free-sales-funnel-squeeze-pages-landing-page-builder-templates-make/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Lead Plus X. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Deactivate Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp-lead-plus-x
Add CSRF Protection Headers
linuxAdd security headers to WordPress .htaccess file
Add to .htaccess: Header set X-Frame-Options "DENY"
Add to .htaccess: Header set Content-Security-Policy "frame-ancestors 'none'"
🧯 If You Can't Patch
- Remove the WP Lead Plus X plugin completely from the WordPress installation
- Implement strict access controls and monitoring for administrative actions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP Lead Plus X version 0.99 or earlierCheck Version:
wp plugin get wp-lead-plus-x --field=versionVerify Fix Applied:
Verify WP Lead Plus X plugin is either updated to version 1.0+ or completely removed📡 Detection & Monitoring
Log Indicators:
- Unauthorized page creation in WordPress logs
- Administrative actions from unexpected IP addresses
- Multiple failed CSRF validation attempts
Network Indicators:
- HTTP POST requests to wp-admin/admin-ajax.php with suspicious parameters
- Requests containing 'action=wplpx_' patterns without proper nonce
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "wplpx_")🔗 References
- https://wordpress.org/plugins/free-sales-funnel-squeeze-pages-landing-page-builder-templates-make/#developers
- https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-in-the-wp-lead-plus-x-wordpress-plugin/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ddb97db0-cbf3-42be-a5c7-12fc2a2bc9e8?source=cve
