Description
Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Broken Access Control
Action: Patch
AI Analysis

Impact

A missing authorization check in the leadlovers forms plugin allows attackers to access or alter administrative settings and form data without proper permission. This broken access control can lead to data exposure, unauthorized modifications of form behavior, or the use of the site as a platform for further attacks. The weakness is classified as CWE‑862.

Affected Systems

This issue affects installations of the leadlovers forms plugin for WordPress with version numbers up to and including 1.0.2. Any WordPress site that has this plugin enabled in that version range is vulnerable, regardless of how the site is accessed.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a web-based request that bypasses missing access controls; this is inferred from the description of a missing authorization check. No additional prerequisites are noted, so any authenticated user with access to the site could potentially exploit the flaw through crafted requests.

Generated by OpenCVE AI on April 9, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the leadlovers forms plugin to version 1.0.3 or later if an update is available.
  • If no update is available, deactivate or delete the plugin to eliminate the attack surface.
  • Verify that user roles and permissions are correctly configured and that remaining form endpoints enforce proper authentication checks.
  • Monitor vendor advisories and apply future security patches promptly.

Generated by OpenCVE AI on April 9, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Leadlovers
Leadlovers leadlovers Forms
Wordpress
Wordpress wordpress
Vendors & Products Leadlovers
Leadlovers leadlovers Forms
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2.
Title WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Leadlovers Leadlovers Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.868Z

Reserved: 2026-04-07T10:57:53.260Z

Link: CVE-2026-39657

cve-icon Vulnrichment

Updated: 2026-04-09T15:05:45.433Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:36.840

Modified: 2026-04-29T10:17:36.990

Link: CVE-2026-39657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:41Z

Weaknesses