CVE-2015-4065

Landing Pages < 1.8.4 - Authenticated Cross-Site Scripting via Post Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-4065. PoCs published by Adrián M. F..

AI-analyzed exploit summary The code describes two vulnerabilities in the WordPress Landing Pages plugin: an authenticated SQL injection (CVE-2015-4064) and an authenticated XSS (CVE-2015-4065). It includes proof-of-concept URLs and SQLMap output for the SQLi, as well as a payload for the XSS.

Description

Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/post-new.php.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Adrián M. F. · textwebappsphp
https://www.exploit-db.com/exploits/37108

The code describes two vulnerabilities in the WordPress Landing Pages plugin: an authenticated SQL injection (CVE-2015-4064) and an authenticated XSS (CVE-2015-4065). It includes proof-of-concept URLs and SQLMap output for the SQLi, as well as a payload for the XSS.

Classification
Writeup 100%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Landing Pages plugin 1.8.4
Auth required
Prerequisites: Authenticated access to WordPress admin panel · Vulnerable plugin version installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://wordpress.org/plugins/landing-pages/changelog/
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37108/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/74777

Scores

EPSS 0.0391
EPSS Percentile 89.0%

Details

CWE
CWE-79
Status published
Products (1)
landing_pages_project/landing_pages < 1.8.4
Published May 27, 2015
Tracked Since Feb 18, 2026