Description
Missing Authorization vulnerability in kamleshyadav WP Lead Capturing Pages leadcapture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Lead Capturing Pages: from n/a through < 2.6.
Published: 2025-08-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the WP Lead Capturing Pages plugin allows an attacker with sufficient access to delete arbitrary content entries. This flaw can lead to loss or tampering of user‑submitted data, potentially impacting the integrity and availability of the site’s content. The weakness is a classic example of improper authorization (CWE‑862).

Affected Systems

The vulnerability affects the WP Lead Capturing Pages plugin developed by kamleshyadav. All versions prior to 2.6 are susceptible; the issue is present from the earliest release through <2.6.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for this flaw, while the EPSS score of less than 1% suggests that, so far, exploitation is rare. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves issuing a delete request through the plugin’s management interface, typically requiring an authenticated user with elevated privileges. An attacker who can gain such access—either by credential compromise or social engineering—can trigger the deletion, resulting in loss of content. The combination of a solid exploitation path and high severity underlines the need for timely remediation.

Generated by OpenCVE AI on May 1, 2026 at 06:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Lead Capturing Pages plugin to version 2.6 or later, which resolves the missing authorization check.
  • Ensure that content deletion actions are restricted to administrator‑level accounts and verify that no other user roles have delete permissions.
  • If an upgrade is not immediately possible, disable the deletion functionality through the plugin settings or by applying a custom code patch to block deletion requests, and monitor site logs for any unauthorized deletion attempts.

Generated by OpenCVE AI on May 1, 2026 at 06:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24743 Missing Authorization vulnerability in kamleshyadav WP Lead Capturing Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Lead Capturing Pages: from n/a through 2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in kamleshyadav WP Lead Capturing Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Lead Capturing Pages: from n/a through 2.3. Missing Authorization vulnerability in kamleshyadav WP Lead Capturing Pages leadcapture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Lead Capturing Pages: from n/a through < 2.6.
Title WordPress WP Lead Capturing Pages plugin <= 2.3 - Arbitrary Content Deletion vulnerability WordPress WP Lead Capturing Pages plugin < 2.6 - Arbitrary Content Deletion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in kamleshyadav WP Lead Capturing Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Lead Capturing Pages: from n/a through 2.3.
Title WordPress WP Lead Capturing Pages plugin <= 2.3 - Arbitrary Content Deletion vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:33:29.646Z

Reserved: 2025-03-28T11:00:15.484Z

Link: CVE-2025-31425

cve-icon Vulnrichment

Updated: 2025-08-14T19:40:08.899Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:33.560

Modified: 2026-04-23T15:27:48.170

Link: CVE-2025-31425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses