Attack Vectors

CVE-2026-27368 affects the WordPress plugin Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode (slug: coming-soon) in versions up to and including 6.19.8. The issue is rated Medium severity (CVSS 5.3).

Because the vulnerability stems from a missing authorization (capability) check, it can be targeted remotely by unauthenticated attackers (no login required). In practical terms, an attacker can probe WordPress sites running the affected SeedProd plugin version and attempt to trigger the exposed function(s) to carry out an unauthorized action.

This kind of exposure is particularly relevant for public-facing marketing sites and campaign landing pages, where the WordPress instance is intentionally reachable from the internet and often integrated into advertising, email, and partner traffic flows.

Security Weakness

The root cause is a missing capability check in a plugin function for Website Builder by SeedProd versions ≤ 6.19.8. In WordPress terms, capability checks are what prevent non-admins (or non-logged-in visitors) from calling sensitive actions.

When a function lacks this authorization validation, WordPress may process requests that should have been restricted to trusted users. According to the published advisory, this weakness enables unauthorized access that allows an attacker to perform an unauthorized action without authentication.

Severity context: the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates the issue is accessible over the network, easy to attempt, requires no privileges or user interaction, and primarily risks integrity changes (rather than direct data theft or complete outage).

Technical or Business Impacts

For marketing directors and business owners, the most relevant risk is unauthorized changes that can affect brand, campaigns, and site trust. Even “Medium” issues can create meaningful business disruption when they touch public-facing pages.

Potential impacts include:

Brand and campaign integrity risk: Unauthorized changes to page-building components can lead to altered messaging, broken landing pages, incorrect offers, or misleading calls-to-action—directly impacting conversion rates and campaign ROI.

Compliance and reputational exposure: Unexpected site modifications can undermine customer trust and trigger internal incident response, vendor reviews, and compliance escalation—especially if regulated teams rely on the site for official communications.

Operational cost: Time spent investigating, restoring content, and validating marketing funnels (forms, tracking, SEO settings) can be significant—especially during active promotions.

Recommended remediation: Update Website Builder by SeedProd to version 6.19.9 or newer (patched). Reference: Wordfence vulnerability record. CVE record: CVE-2026-27368.