Attack Vectors

CVE-2026-27368 affects the WordPress plugin Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode (slug: coming-soon) in versions up to and including 6.19.8. The issue is rated Medium severity (CVSS 5.3).

Because the CVSS vector indicates no privileges required and no user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), the primary risk is that an attacker on the internet could directly target affected sites and attempt to trigger the vulnerable function remotely.

For marketing and executive teams, this matters most on high-visibility pages (landing pages, “coming soon,” and maintenance mode experiences) where unauthorized changes can quickly impact brand perception, conversions, and campaign performance.

Security Weakness

The reported weakness is a missing authorization (capability) check on a function in the plugin. In plain terms: the plugin does not reliably verify that a request is coming from a user who should be allowed to perform the action.

Wordfence’s advisory states this can allow unauthenticated attackers to perform an unauthorized action. The public summary does not specify exactly which action(s) can be performed, so risk owners should assume that some plugin-related setting or operation could be changed without logging in.

No known patch is available at the time of the advisory. That elevates the importance of compensating controls and risk-based decision-making (temporary shutdown of affected functionality, replacement, or removal), especially for regulated environments or revenue-critical sites.

Technical or Business Impacts

Website integrity and brand risk: Even if confidentiality is not the primary concern (CVSS indicates no direct confidentiality impact), unauthorized changes that affect site presentation can create reputational damage, confuse customers, and undermine campaign credibility.

Marketing performance disruption: SeedProd is commonly used for landing pages and maintenance/coming-soon experiences. Unauthorized changes could reduce conversion rates, break tracking consistency, or cause campaign downtime at critical moments.

Operational and compliance impact: Incident response (triage, restoration, validation, and post-incident reporting) consumes internal time and agency/vendor budget. For compliance teams, any unauthorized change to customer-facing content can trigger additional review requirements depending on policy and industry obligations.

Recommended mitigations (given no patch): Consider uninstalling or replacing the affected plugin if feasible, especially on public-facing production sites. If removal is not immediately possible, reduce exposure by limiting access paths (e.g., protective web application firewall rules, tighter edge controls), increasing monitoring for unexpected changes, and ensuring reliable backups and a tested rollback process.

Reference: CVE-2026-27368 and the source advisory at Wordfence Threat Intelligence.

Similar Attacks

Authorization gaps and exposed plugin functionality are a recurring source of WordPress incidents. A few well-documented examples include:

CVE-2020-25213 (File Manager plugin) — widely exploited in the wild and frequently cited as an example of how a single plugin issue can quickly lead to broad website compromise and emergency response efforts.

CVE-2023-32243 (Elementor Pro) — an example of a high-impact WordPress ecosystem vulnerability affecting a popular site-building plugin, reinforcing the business need for rapid mitigation when core marketing-site components are at risk.