CVE-2024-1072: 
WordPress vulnerability analysis and mitigation

The Website Builder by SeedProd plugin for WordPress contains a high-severity vulnerability (CVE-2024-1072) due to a missing capability check in the seedprod_lite_new_lpage function. This vulnerability affects all versions up to and including 6.15.21, impacting over 900,000 WordPress installations (Security Online, NVD).

The vulnerability stems from a missing authorization check in the seedprod_lite_new_lpage function, which allows unauthenticated attackers to modify page content. The severity is rated as HIGH with a CVSS v3.1 base score of 7.5 (NIST) and 8.2 (Wordfence), indicating significant impact potential. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability enables unauthenticated attackers to modify the contents of coming-soon pages, maintenance pages, login pages, and 404 pages that are set up with the plugin. This unauthorized access to page modification could lead to defacement or malicious content injection (WPScan).

The vulnerability has been patched in version 6.15.22, though this version introduced a bug affecting admin pages. Users are advised to upgrade to version 6.15.23 for complete remediation (NVD).