CVE-2026-1890

Vulnerability

Overview

The LeadConnector WordPress plugin versions prior to 3.0.22 are vulnerable to a missing authorization issue in a REST route [1]. This flaw allows unauthenticated attackers to call the endpoint and overwrite existing data without any authentication or authorization checks [1]. The vulnerability is classified as CWE-862: Missing Authorization and falls under OWASP Top 10 A5: Broken Access Control [1].

Attack

Scenarios

The vulnerability can be exploited remotely by sending HTTP requests to the affected REST endpoint without any authentication [1]. No user interaction or special network position is required, making it accessible to any unauthenticated attacker who can reach the WordPress site [1]. The lack of authorization means the endpoint can be invoked freely.

Impact

Successful exploitation allows an attacker to overwrite existing data within the plugin's functionality [1]. Depending on the data managed by LeadConnector, this could lead to data corruption, loss of integrity, or disruption of services relying on that data [1].

Mitigation

The vulnerability has been fixed in version 3.0.22 of the plugin [1]. Users are strongly advised to update to the latest version immediately. No workarounds were provided [1].