CVE-2026-39657

The leadlovers forms plugin for WordPress (versions <=1.0.2) contains a missing authorization vulnerability. This broken access control issue arises because the plugin fails to properly authenticate or check nonces before executing certain functions, allowing unprivileged users to perform actions that require higher privileges [1].

An attacker can exploit this vulnerability without needing any authentication credentials. By sending crafted requests to the vulnerable WordPress site, they can bypass access controls and invoke restricted functionality. The plugin’s insufficient authorization checks make it possible for attackers to target thousands of sites in mass-exploit campaigns [1].

Successful exploitation grants an attacker the ability to execute higher-privileged actions, which could lead to full site compromise, data manipulation, or further escalation. The exact impact depends on the nature of the unprotected functions, but the severity is rated medium (CVSS 5.3) due to the potential for unauthorized operations [1].

As a mitigation, users should immediately update the leadlovers forms plugin to a version newer than 1.0.2. The Patchstack advisory strongly recommends applying the update or contacting a hosting provider for assistance if unable to do so directly [1].