CVE-2024-1072: Critical Flaw in SeedProd Plugin Exposes 900K WordPress Sites

A high-severity flaw has been found in a popular WordPress plugin. The affected plugin, Website Builder by SeedProd, has over 900,000 installations.

The Website Builder by SeedProd is a powerful and user-friendly WordPress plugin designed to simplify the process of creating and customizing websites. SeedProd stands out as a highly popular choice among WordPress users for its drag-and-drop functionality, enabling users to easily design and build custom websites without needing to write code.

Dubbed CVE-2024-1072, this flaw was a gaping hole rated 8.2 out of 10 on the severity scale. This high rating underscored the potential havoc it could wreak, allowing unauthorized figures to tamper with the very fabric of WordPress sites.

The root cause of CVE-2024-1072 lay in a missing capability check within the ‘seedprod_lite_new_lpage’ function. This absence meant that even unauthenticated users could potentially twist and turn the content of web pages to their will, manipulating coming-soon or maintenance pages into unrecognizable versions of their former selves.

“This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin,” Wordfence WordPress security researchers wrote.

Responding to the urgency the situation demanded, the developers behind SeedProd fortified their defenses, releasing version 6.15.22.

Site owners, administrators, and developers are advised to update to the latest versions of Website Builder by SeedProd as soon as possible. There is no mention of any of these flaws being exploited in attacks, but unpatched vulnerabilities in WordPress plugins are often leveraged by threat actors.