WordPress Plugin Vulnerabilities

LeadConnector < 1.8 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Description

The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lc_public_api_proxy() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts.

Affects Plugins

Plugin icon
leadconnector
Fixed in 1.8

References

CVE
CVE-2024-1371
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/79e786ce-a3eb-40df-8dad-4c9c75243bec

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
2591586a-d7e3-470a-b9ca-afb91746fe9f

Timeline

Publicly Published
2024-04-29 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2026-02-17
Title
Academy LMS < 3.5.4 - Missing Authorization
Published
2025-04-01
Title
Shopper Approved Reviews 2.0 - 2.1 - Subscriber+ Arbitrary Options Update
Published
2025-04-01
Title
OpenAI Tools for WordPress & WooCommerce <= 2.1.5 - Missing Authorization
Published
2024-04-22
Title
Secure Copy Content Protection and Content Locking < 3.7.2 - Missing Authorization
Published
2025-01-23
Title
Jobify - Job Board WordPress Theme < 4.2.8 - Missing Authorization to Unauthenticated Server-Side Request Forgery, Arbitrary Image Upload, and Image Generation