Description
The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions.
Published: 2025-05-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The SeedProd Website Builder plugin contains a missing capability check in the seedprod_lite_get_revisisons function, allowing any authenticated user with Subscriber level or higher to retrieve the full content of any landing page revision. This flaw exposes the confidential content of landing page revisions, representing a moderate confidentiality impact. The weakness is a classic access control violation (CWE-862).

Affected Systems

The vulnerability affects the WordPress plugin "Website Builder by SeedProd – Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode" for all releases up to and including 6.18.15. Users of any of those versions should plan an upgrade.

Risk and Exploitability

The flaw requires authenticated access; an attacker needs at least Subscriber role, so it is not publicly exploitable but can be abused by compromised accounts or insiders. The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Risk is therefore moderate, primarily from potential accidental or malicious data exposure by legitimate users.

Generated by OpenCVE AI on April 21, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SeedProd plugin to a version newer than 6.18.15 in which the access control check has been restored.
  • If an upgrade cannot be applied immediately, restrict the Subscriber role from accessing the function, for example by changing user capabilities or disabling the function via a WordPress hooks or a security plugin.
  • Monitor the site for suspicious access patterns to landing page revision endpoints and ensure logs capture any unauthorized attempts.

Generated by OpenCVE AI on April 21, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14166 The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00034}

 epss

{'score': 0.0004}

Fri, 09 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 May 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions.
Title Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.18.15 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:02.015Z

Reserved: 2025-04-25T16:14:05.736Z

Link: CVE-2025-3949

cve-icon Vulnrichment

Updated: 2025-05-09T15:15:26.010Z

cve-icon NVD

Status : Deferred

Published: 2025-05-09T09:15:19.290

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:36Z

Weaknesses