CVE-2021-25067: 
WordPress vulnerability analysis and mitigation

The Landing Page Builder WordPress plugin before version 1.4.9.6 was identified with a reflected Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2021-25067. The vulnerability was discovered by Krzysztof Zając and was publicly disclosed on December 16, 2021. The security issue specifically affects the page-builder-add functionality on the ulpb_post admin page (WPScan).

The vulnerability is classified as a reflected XSS with a CVSS score of 6.1 (medium severity) and is mapped to CWE-79. The issue manifests in the page-builder-add component on the ulpbpost admin page, where user input is not properly sanitized. A proof of concept exploit involves accessing a specific URL pattern in the WordPress admin interface: http://127.0.0.1:8001/wp-admin/edit.php?posttype=ulpb_post&page=page-builder-new-landing-page&thisPostID="+style=animation-name:rotation+onanimationstart=alert(1)+x= (WPScan).

The vulnerability allows authenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers who access the affected admin page. This could potentially lead to unauthorized actions being performed on behalf of the administrator or other privileged users (WPScan).

The vulnerability has been fixed in version 1.4.9.6 of the Landing Page Builder plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).