CVE-2025-68026

Overview

The LC Wizard plugin for WordPress (ghl-wizard) contains a Missing Authorization vulnerability (CVE-2025-68026) in versions up to and including 2.1.1. This flaw stems from incorrectly configured access control security levels, enabling unauthenticated attackers to modify plugin settings without proper permission checks [1].

Exploitation

The vulnerability is a settings change issue that requires no authentication, making it accessible to any unauthenticated remote attacker. According to Patchstack, this type of vulnerability is moderately dangerous and expected to become exploited in mass campaigns targeting thousands of websites regardless of traffic size [1]. The attack surface is the plugin's settings endpoint, which does not enforce authorization.

Impact

Successful exploitation allows an attacker to alter critical plugin configurations. This could lead to unauthorized changes that affect the functionality of the LC Wizard, potentially enabling further compromise such as redirection, data exfiltration, or privilege escalation within WordPress. The broad accessibility increases the risk of widespread automated attacks.

Mitigation

The vendor has released version 2.1.2 which fixes the vulnerability. All users are strongly advised to update immediately [1]. For those unable to update, Patchstack offers a mitigation rule that blocks attacks until the patch is applied. Administrators should also consider enabling auto-updates for vulnerable plugins [1].