CVE-2025-3949: 
WordPress vulnerability analysis and mitigation

The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress contains a missing authorization vulnerability (CVE-2025-3949) discovered on May 8, 2025. The vulnerability affects all versions up to and including 6.18.15. The issue exists in the 'seedprodliteget_revisisons' function which lacks proper capability checks, allowing authenticated users with Subscriber-level access to read arbitrary landing page revisions (Wiz).

The vulnerability stems from insufficient authorization checks in the 'seedprodliteget_revisisons' function within the lpage.php file. While the function implements some authentication checks, it fails to properly validate user capabilities before allowing access to page revisions. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and required low privileges (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to read the content of arbitrary landing page revisions. This could potentially expose sensitive information that was meant to be restricted to users with higher privilege levels (NVD).

The vulnerability has been patched in version 6.18.16, released on May 6, 2025. Users are advised to update to this version or later. The fix implements proper capability checks in the 'seedprodliteget_revisisons' function (SeedProd Changelog)