Description
The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Immediate Patch
AI Analysis

Impact

The LeadConnector WordPress plugin before version 3.0.22 lacks proper authorization on a REST API route, allowing any user with internet access to invoke the route and overwrite existing data. The vulnerability is an instance of improper authorization, which can lead to integrity violations and loss of legitimate business information. By replacing stored records, an attacker can corrupt lead data or sinkholes essential user information, potentially affecting the entire client base.

Affected Systems

WordPress sites that have the LeadConnector plugin installed with a version lower than 3.0.22 are vulnerable. No specific vendor distribution beyond the plugin itself is identified, and the affected versions span all releases prior to 3.0.22.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS of less than 1% suggests a low probability of broad exploitation, and the catalog does not list it as a known exploited vulnerability. The attack vector is inferred to be remote and unauthenticated, triggered via a public REST endpoint in the WordPress installation, which the attacker can call without credentials.

Generated by OpenCVE AI on March 27, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the LeadConnector plugin to version 3.0.22 or later.
  • If an update is not immediately possible, block or disable the vulnerable REST endpoint using WordPress security plugins or .htaccess rules.
  • Verify site integrity to ensure no unauthorized modifications have occurred.
  • Schedule a site-wide audit for sensitive data and review settings that may have been altered.

Generated by OpenCVE AI on March 27, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Leadconnector
Leadconnector leadconnector
Wordpress
Wordpress wordpress
Vendors & Products Leadconnector
Leadconnector leadconnector
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
Description The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data
Title LeadConnector < 3.0.22 - Unauthenticated Rest Call
References

Subscriptions

Leadconnector Leadconnector
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-26T13:33:43.195Z

Reserved: 2026-02-04T14:26:21.828Z

Link: CVE-2026-1890

cve-icon Vulnrichment

Updated: 2026-03-26T13:33:40.576Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T07:16:19.907

Modified: 2026-04-15T15:05:47.827

Link: CVE-2026-1890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T15:47:39Z

Weaknesses