{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22490", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:23.295Z", "datePublished": "2026-01-08T16:24:37.839Z", "dateUpdated": "2026-04-28T16:14:45.598Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "lpagery", "product": "Bulk Landing Page Creator for WordPress LPagery", "vendor": "niklaslindemann", "versions": [{"changes": [{"at": "2.4.10", "status": "unaffected"}], "lessThanOrEqual": "2.4.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:03.692Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery lpagery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through <= 2.4.9.</p>"}], "value": "Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery lpagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through <= 2.4.9."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.598Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lpagery/vulnerability/wordpress-bulk-landing-page-creator-for-wordpress-lpagery-plugin-2-4-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Bulk Landing Page Creator for WordPress LPagery plugin <= 2.4.9 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T16:56:14.056394Z", "id": "CVE-2026-22490", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:58:24.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22490", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T16:56:14.056394Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T16:56:55.729Z"}}], "cna": {"title": "WordPress Bulk Landing Page Creator for WordPress LPagery plugin <= 2.4.9 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "niklaslindemann", "product": "Bulk Landing Page Creator for WordPress LPagery", "versions": [{"status": "affected", "changes": [{"at": "2.4.10", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.4.9"}], "packageName": "lpagery", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:44:03.692Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/lpagery/vulnerability/wordpress-bulk-landing-page-creator-for-wordpress-lpagery-plugin-2-4-4-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery lpagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through <= 2.4.9.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery lpagery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through <= 2.4.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.598Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22490", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:45.598Z", "dateReserved": "2026-01-07T13:44:23.295Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T16:24:37.839Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery lpagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through <= 2.4.9."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en niklaslindemann Bulk Landing Page Creator para WordPress LPagery permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Bulk Landing Page Creator para WordPress LPagery: desde n/d hasta 2.4.9."}], "id": "CVE-2026-22490", "lastModified": "2026-04-23T15:36:34.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T17:15:51.370", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/lpagery/vulnerability/wordpress-bulk-landing-page-creator-for-wordpress-lpagery-plugin-2-4-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:14:27.643965+00:00", "value": {"mitigation_remediation": ["Upgrade the Bulk Landing Page Creator plugin to a version that implements proper access controls, or if a patched release is unavailable, uninstall or disable the plugin entirely.", "Restrict direct access to the plugin\u2019s administrative URLs by configuring role\u2011based access control or firewall rules that allow only authenticated users with appropriate privileges to reach those endpoints.", "Review WordPress role and capability assignments and ensure that only administrators (or explicitly intended roles) have permission to use bulk landing page creation features. Remove or adjust any custom roles that grant the bulk landing page capability to non\u2011admin users."], "summary": {"action": "Upgrade Plugin", "impact": "Unauthorized access to protected bulk landing page creation features"}, "threat_synthesis": {"affected_systems": "The affected product is Bulk Landing Page Creator for WordPress LPagery developed by niklaslindemann. All versions from the earliest available through 2.4.9 are impacted.", "description_and_impact": "This vulnerability is a missing authorization flaw that allows attackers to bypass the plugin\u2019s access control and use functionality intended for privileged users. The attacker can create, edit, or delete bulk landing pages and potentially expose sensitive configuration or content. The flaw is categorized under CWE\u2011862, indicating a broken access control weakness that can lead to privilege escalation.", "risk_and_exploitability": "EPSS indicates a very low exploitation probability (below 1%), and the vulnerability is not listed in CISA\u2019s KEV catalog. With a CVSS score of 5.4, the overall severity is moderate. The flaw permits full use of privileged plugin functions. Likely attack vectors involve the plugin\u2019s administrative endpoints which can be accessed by authenticated users, but if the attacker can carefully craft a request they might exploit the missing authorization to introduce content or gain elevated privileges. The overall risk is moderate: low likelihood but significant consequences if exploitation occurs."}}}}, "created": "2026-01-09T13:24:22.699594+00:00", "updated": "2026-04-28T18:15:37.377892+00:00", "vendors": ["niklaslindemann", "niklaslindemann$PRODUCT$bulk_landing_page_creator_for_wordpress_lpagery", "wordpress", "wordpress$PRODUCT$wordpress"]}