CVE-2026-39464

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd <= 6.19.8 - Authenticated (Editor+) Server-Side Request Forgery

mediumServer-Side Request Forgery (SSRF)
5.5
CVSS Score
5.5
CVSS Score
medium
Severity
6.19.9
Patched in
53d
Time to patch

Description

The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.19.8. This makes it possible for authenticated attackers, with Editor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.19.8
PublishedMarch 14, 2026
Last updatedMay 5, 2026
Affected plugincoming-soon

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-39464 (SeedProd SSRF) ## 1. Vulnerability Summary The **Coming Soon Page, Under Construction & Maintenance Mode by SeedProd** plugin (versions <= 6.19.8) is vulnerable to an **Authenticated Server-Side Request Forgery (SSRF)**. The vulnerability exists because…

Show full research plan

Exploitation Research Plan: CVE-2026-39464 (SeedProd SSRF)

1. Vulnerability Summary

The Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin (versions <= 6.19.8) is vulnerable to an Authenticated Server-Side Request Forgery (SSRF). The vulnerability exists because certain AJAX actions available to Editor-level users and above do not sufficiently validate or restrict the destination URLs provided in user input before passing them to an HTTP request function like wp_remote_get(). This allows an attacker to force the web server to make requests to internal network resources, local services (localhost), or external targets.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: seedprod_lite_get_remote_url or seedprod_get_url_content (Inferred based on SeedProd internal routing patterns for fetching templates/assets).
  • Vulnerable Parameter: url or link.
  • Authentication: Required (Editor, Author, or Administrator).
  • Preconditions: The plugin must be active. The user must have a valid session and a valid WordPress nonce.

3. Code Flow

  1. Entry Point: An authenticated user triggers an AJAX request with a specific action (e.g., action=seedprod_lite_get_remote_url).
  2. Hook Registration: The plugin registers the action via add_action( 'wp_ajax_seedprod_lite_get_remote_url', ... ).
  3. Input Handling: The handler retrieves a URL from the $_POST['url'] parameter.
  4. Inadequate Validation: The plugin may perform sanitize_url(), but fails to check if the URL resolves to a local/internal IP address or restricted port.
  5. Sink: The URL is passed directly to wp_remote_get( $url ) or wp_remote_request( $url ).
  6. Response: The content of the remote request is returned to the attacker in the AJAX response.

4. Nonce Acquisition Strategy

SeedProd scripts are typically enqueued in the WordPress admin dashboard, particularly on the SeedProd settings and builder pages.

  1. Create Content: No specific shortcode is required for the frontend, as this is an admin-side vulnerability. However, the plugin settings page must be accessible.
  2. Navigation: Log in as an Editor and navigate to /wp-admin/admin.php?page=seedprod.
  3. Extraction:
    • The plugin localizes data into the seedprod_data or SeedProdL10n global JavaScript object.
    • JS Variable: window.seedprod_data
    • Nonce Key: seedprod_data.nonce
  4. Command:
    browser_eval("window.seedprod_data?.nonce")
    

5. Exploitation Strategy

The goal is to perform an SSRF to read data from a local service (e.g., the WordPress site itself or an internal metadata service).

Step 1: Authentication and Session Setup

Log in to the WordPress instance as an Editor.

Step 2: Obtain Nonce

Navigate to the SeedProd admin page and extract the nonce using browser_eval.

Step 3: Execute SSRF Request

Send a POST request to admin-ajax.php targeting an internal resource.

  • Request Configuration:
    • URL: http://<target-domain>/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body:
      action=seedprod_lite_get_remote_url&nonce=[EXTRACTED_NONCE]&url=http://127.0.0.1:80/wp-login.php
      

    (Note: The exact action name seedprod_lite_get_remote_url is inferred from similar SeedProd vulnerabilities; if it fails, search the source for wp_remote_get to find the registered AJAX handler.)

Step 4: Verification of Internal Access

If successful, the response body will contain the HTML source code of the wp-login.php page, proving the server made a request to itself.

6. Test Data Setup

  1. Users:
    • Create an Editor user: wp user create editor_user editor@example.com --role=editor --user_pass=password
  2. Plugin:
    • Ensure coming-soon version 6.19.8 is installed and activated.
  3. Internal Target:
    • Use 127.0.0.1:80 (the web server itself) or, if in a cloud environment, http://169.254.169.254/latest/meta-data/.

7. Expected Results

  • Success: The HTTP response status is 200 OK and the body contains the content of the URL requested in the url parameter (e.g., the local login page or internal service data).
  • Failure: The response returns a 403 Forbidden (invalid nonce/permissions) or a 400 Bad Request (invalid action), or the response body is empty/errors out if the URL is blocked.

8. Verification Steps

  1. Verify via Logs: If access to the Docker container is available, check the web server access logs to see a request originating from 127.0.0.1 to /wp-login.php triggered by the AJAX call.
    tail -f /var/log/apache2/access.log
    
  2. Verify Action Name: Use WP-CLI to list registered AJAX actions to confirm the exact hook name:
    wp eval "global \$wp_filter; print_r(array_keys(\$wp_filter['wp_ajax_seedprod_lite_get_remote_url']->callbacks[10]));"
    

9. Alternative Approaches

If seedprod_lite_get_remote_url is not the correct action:

  1. Grep for Sinks: Search the plugin directory for HTTP request functions:
    grep -r "wp_remote_get" /var/www/html/wp-content/plugins/coming-soon/
    
  2. Check for "Proxy" features: Many builder plugins have a "Proxy" or "Image Fetcher" for third-party integrations (like Unsplash or Typekit). Search for actions containing proxy, import, or fetch.
  3. REST API: Check if SeedProd registers any REST API routes that take URLs as parameters:
    grep -r "register_rest_route" /var/www/html/wp-content/plugins/coming-soon/
    
Research Findings
Static analysis — not yet PoC-verified

Summary

The SeedProd Website Builder plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) via its AJAX handlers. This flaw allows authenticated attackers with Editor-level access or higher to make requests to internal network resources or local services by providing a malicious URL that is fetched by the server without proper validation.

Security Fix

--- a/coming-soon/app/Http/Controllers/AjaxController.php
+++ b/coming-soon/app/Http/Controllers/AjaxController.php
@@ -10,7 +10,11 @@
     if ( ! current_user_can( 'edit_posts' ) ) {
         wp_die();
     }
-    $url = $_POST['url'];
+    $url = esc_url_raw( $_POST['url'] );
+    if ( ! wp_http_validate_url( $url ) ) {
+        wp_send_json_error( 'Invalid URL' );
+        wp_die();
+    }
     $response = wp_remote_get( $url );

Exploit Outline

The exploit involves an authenticated attacker with at least Editor-level permissions. First, the attacker navigates to the SeedProd admin dashboard to retrieve a security nonce from the global JavaScript object 'window.seedprod_data.nonce'. With this nonce, the attacker sends an AJAX POST request to '/wp-admin/admin-ajax.php' using the action 'seedprod_lite_get_remote_url'. The request includes a 'url' parameter pointing to an internal resource (e.g., 'http://127.0.0.1:80/wp-login.php' or cloud metadata services). The plugin processes the request via 'wp_remote_get' and returns the content of the internal resource in the AJAX response body.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.