CVE-2023-4730 MEDIUM

CVE-2023-4730: LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.3 - Missing Authorization via init_endpoint

Vendor Binhnguyenplus
Product LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
Weakness CWE-862 · Missing authorization
Published August 17, 2024
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The LadiApp plugn for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init_endpoint() function hooked via 'init' in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to modify a variety of settings. An attacker can directly modify the 'ladipage_key' which enables them to create new posts on the website and inject malicious web scripts.

Key dates

02Disclosure timeline

August 17, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE