WordPress Plugin Vulnerabilities

LeadConnector < 3.0.22 - Unauthenticated Rest Call

Description

The plugin does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data

Proof of Concept

Affects Plugins

Plugin icon
leadconnector
Fixed in 3.0.22

References

CVE
CVE-2026-1890

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
yiğit ibrahim sağlam
Submitter
yiğit ibrahim sağlam
Submitter website
https://ibrahimsql.com
Submitter twitter
ibrahimsql
Verified
Yes
WPVDB ID
9b88be70-b5cc-4a3f-a871-64d61cb02076

Timeline

Publicly Published
2026-03-05 (about 21 days ago)
Added
2026-03-05 (about 20 days ago)
Last Updated
2026-03-05 (about 20 days ago)

Other

Published
Title
Published
2025-01-08
Title
GS Insever Portfolio <= 1.4.5 - Missing Authorization to Authenticated (Subscriber+) CSS Injection
Published
2024-12-11
Title
Hash Form < 1.2.2 - Missing Authorization to Authenticated (Contributor+) Form Style Creation
Published
2025-10-12
Title
ChatBot < 7.4.0 - Missing Authorization
Published
2023-12-07
Title
Alt Manager < 1.6.2 - Missing Authorization
Published
2025-12-11
Title
Email Subscribers & Newsletters < 5.9.11 - Unauthenticated Action Scheduler Task Execution