{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3949", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-25T16:14:05.736Z", "datePublished": "2025-05-09T08:24:05.349Z", "dateUpdated": "2026-04-08T16:58:02.015Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:02.015Z"}, "affected": [{"vendor": "seedprod", "product": "Website Builder by SeedProd \u2014 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.18.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Website Builder by SeedProd \u2014 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions."}], "title": "Website Builder by SeedProd \u2014 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.18.15 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/669b0f30-8958-420c-93c5-0103b71967dd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/coming-soon/tags/6.18.15/app/lpage.php#L820"}, {"url": "https://plugins.trac.wordpress.org/changeset/3288645/coming-soon/trunk/app/lpage.php"}, {"url": "https://www.seedprod.com/docs/changelog/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"}], "timeline": [{"time": "2025-05-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-09T15:09:06.426239Z", "id": "CVE-2025-3949", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T15:15:30.212Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3949", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-09T15:09:06.426239Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T15:15:26.010Z"}}], "cna": {"title": "Website Builder by SeedProd \u2014 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.18.15 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "seedprod", "product": "Website Builder by SeedProd \u2014 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.18.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/669b0f30-8958-420c-93c5-0103b71967dd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/coming-soon/tags/6.18.15/app/lpage.php#L820"}, {"url": "https://plugins.trac.wordpress.org/changeset/3288645/coming-soon/trunk/app/lpage.php"}, {"url": "https://www.seedprod.com/docs/changelog/"}], "descriptions": [{"lang": "en", "value": "The Website Builder by SeedProd \u2014 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:02.015Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3949", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:02.015Z", "dateReserved": "2025-04-25T16:14:05.736Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-09T08:24:05.349Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Website Builder by SeedProd \u2014 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions."}, {"lang": "es", "value": "El complemento Website Builder by SeedProd \u2014 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode para WordPress es vulnerable al acceso no autorizado a los datos debido a la falta de una comprobaci\u00f3n de la funci\u00f3n \"seedprod_lite_get_revisisons\" en todas las versiones hasta la 6.18.15 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, lean el contenido de revisiones arbitrarias de landing pages."}], "id": "CVE-2025-3949", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-09T09:15:19.290", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/coming-soon/tags/6.18.15/app/lpage.php#L820"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3288645/coming-soon/trunk/app/lpage.php"}, {"source": "security@wordfence.com", "url": "https://www.seedprod.com/docs/changelog/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/669b0f30-8958-420c-93c5-0103b71967dd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:52:58.534084+00:00", "value": {"mitigation_remediation": ["Upgrade the SeedProd plugin to a version newer than 6.18.15 in which the access control check has been restored.", "If an upgrade cannot be applied immediately, restrict the Subscriber role from accessing the function, for example by changing user capabilities or disabling the function via a WordPress hooks or a security plugin.", "Monitor the site for suspicious access patterns to landing page revision endpoints and ensure logs capture any unauthorized attempts."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin \"Website Builder by SeedProd \u2013 Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode\" for all releases up to and including 6.18.15. Users of any of those versions should plan an upgrade.", "description_and_impact": "The SeedProd Website Builder plugin contains a missing capability check in the seedprod_lite_get_revisisons function, allowing any authenticated user with Subscriber level or higher to retrieve the full content of any landing page revision. This flaw exposes the confidential content of landing page revisions, representing a moderate confidentiality impact. The weakness is a classic access control violation (CWE-862).", "risk_and_exploitability": "The flaw requires authenticated access; an attacker needs at least Subscriber role, so it is not publicly exploitable but can be abused by compromised accounts or insiders. The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Risk is therefore moderate, primarily from potential accidental or malicious data exposure by legitimate users."}}}}, "created": "2026-04-21T21:00:36.006866+00:00", "updated": "2026-04-21T21:00:36.006885+00:00", "vendors": []}