CVE-2025-68050

The Leadpages plugin for WordPress (versions from n/a through 1.1.3) suffers from a missing authorization vulnerability [1]. The root cause is a broken access control issue, meaning the plugin fails to properly verify authentication, authorization, or nonce tokens in certain functions, which can allow unprivileged users to execute actions that should require higher privileges [1].

Exploitation of this vulnerability does not require authentication, allowing an attacker to send crafted requests to a vulnerable WordPress site to perform unauthorized actions [1]. The attack surface is wide because the plugin is installed on many websites, and the vulnerability is considered likely to be used in mass-exploit campaigns targeting thousands of sites regardless of traffic size [1].

Successful exploitation could allow an attacker to bypass access controls and gain capabilities normally reserved for higher-privileged users, such as administrators [1]. The CVSS score of 6.5 reflects the moderate severity, but the ease of exploitation and potential for widespread attacks elevates the real-world risk [1].

The vendor has released version 1.1.4 to patch the vulnerability, and users are strongly advised to update immediately [1]. For those unable to update, implementing a virtual patch or mitigation rule (e.g., via Patchstack) can block attacks until the update is applied [1].