Description
Missing Authorization vulnerability in leadrebel Leadrebel leadrebel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadrebel: from n/a through <= 1.0.2.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch
AI Analysis

Impact

Missing authorization checks in the Leadrebel WordPress plugin allow users to access or invoke functionality that should be restricted by proper access control. The flaw is classified as CWE‑862, reflecting incomplete enforcement of authorization policies. Exploitation could cause the system to expose or alter resources that should only be available to privileged users.

Affected Systems

All installations of WordPress that have the Leadrebel plugin at version 1.0.2 or earlier are affected. No additional WordPress core or plugin version constraints are specified, so the vulnerability applies broadly to any site meeting the plugin version criterion.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The issue is not listed in CISA’s Known Exploited Vulnerabilities catalog. Because the description does not specify an exact attack path, it is inferred that the vulnerability may be exploitable via the plugin’s administrative interface or by any authenticated user under inadequate authorization controls.

Generated by OpenCVE AI on April 9, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Leadrebel plugin to a version newer than 1.0.2.
  • If upgrading is not possible, deactivate the plugin to eliminate the vulnerable code.
  • Restrict access to the plugin’s administrative interface by adjusting WordPress user roles or applying network-level controls if the plugin must remain active.
  • Monitor the plugin vendor for additional security updates.

Generated by OpenCVE AI on April 9, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Leadrebel
Leadrebel leadrebel
Wordpress
Wordpress wordpress
Vendors & Products Leadrebel
Leadrebel leadrebel
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in leadrebel Leadrebel leadrebel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadrebel: from n/a through <= 1.0.2.
Title WordPress Leadrebel plugin <= 1.0.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Leadrebel Leadrebel
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.923Z

Reserved: 2026-04-07T10:57:59.670Z

Link: CVE-2026-39664

cve-icon Vulnrichment

Updated: 2026-04-09T15:03:22.115Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:37.613

Modified: 2026-04-29T10:17:37.750

Link: CVE-2026-39664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:38Z

Weaknesses