CVE-2024-1072
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify content on WordPress sites using the SeedProd Website Builder plugin. Attackers can change coming-soon pages, maintenance pages, login pages, and 404 pages created with the plugin. All WordPress sites running SeedProd plugin versions up to 6.15.21 are affected.
💻 Affected Systems
- SeedProd Website Builder WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could replace legitimate pages with malicious content, redirect users to phishing sites, or deface the website entirely, damaging brand reputation and potentially stealing credentials.
Likely Case
Attackers modify coming-soon or maintenance pages to display malicious content, phishing forms, or redirect users to malicious sites while legitimate site maintenance is occurring.
If Mitigated
With proper patching, no unauthorized modifications can occur, and all plugin functionality works as intended.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests to the vulnerable endpoint. Given the high CVSS score and unauthenticated nature, exploitation is likely occurring in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.15.23
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3029567/coming-soon/trunk/app/lpage.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'SeedProd' plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 6.15.23+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable SeedProd Plugin
allTemporarily deactivate the SeedProd plugin until patching is possible
wp plugin deactivate coming-soon
Restrict Access to Vulnerable Endpoint
linuxBlock access to the vulnerable function via web application firewall or .htaccess rules
# Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php\?action=seedprod_lite_new_lpage - [F,L]
🧯 If You Can't Patch
- Implement web application firewall rules to block requests to the seedprod_lite_new_lpage endpoint
- Disable the SeedProd plugin entirely and use alternative methods for coming-soon/maintenance pages
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → SeedProd version. If version is 6.15.21 or lower, you are vulnerable.Check Version:
wp plugin get coming-soon --field=versionVerify Fix Applied:
After updating, verify plugin version shows 6.15.23 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=seedprod_lite_new_lpage parameter from unauthenticated users
- Unusual modifications to coming-soon or maintenance page content
Network Indicators:
- POST requests to WordPress admin-ajax.php endpoint with seedprod_lite_new_lpage action from external IPs
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="action=seedprod_lite_new_lpage" AND user="-"🔗 References
- https://plugins.trac.wordpress.org/changeset/3029567/coming-soon/trunk/app/lpage.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/78d7920b-3e20-43c7-a522-72bac824c2cb?source=cve
- https://plugins.trac.wordpress.org/changeset/3029567/coming-soon/trunk/app/lpage.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/78d7920b-3e20-43c7-a522-72bac824c2cb?source=cve
