The vulnerability in the Webcake – Landing Page Builder plugin arises from a missing capability check on the webcake_save_config AJAX endpoint. This flaw allows authenticated users with Subscriber-level access or higher to modify the plugin’s settings, enabling them to alter the look, structure, or behavior of the landing pages on the affected WordPress site. Because the plugin controls key visual elements and potentially redirection logic, an attacker could inject malicious content, change URLs, or deface the site. The weakness is identified as CWE-862 – missing authorization, which means the integrity of configuration data is compromised without consideration of the user’s role.

WordPress sites using the Webcake – Landing Page Builder plugin, versions up to and including 1.1. Any authenticated user who holds the Subscriber role or any higher role can exploit this flaw.

The CVSS score of 4.3 indicates moderate severity, but the EPSS score of less than 1% suggests a low probability of exploitation under current threat landscape. The flaw is not listed in CISA’s KEV catalog, so there is no known large-scale active exploitation. The attack requires the attacker to be authenticated to the WordPress installation, typically by credential compromise or social engineering. Once authenticated, the attacker can invoke the vulnerable AJAX endpoint to change plugin settings, which may have widespread impact on the site’s storefront or landing pages. Therefore, the risk is significant for organizations with less stringent role management but the likelihood of immediate exploitation is low.