CVE-2026-39664

Vulnerability

Overview The Leadrebel WordPress plugin, version 1.0.2 and earlier, suffers from a missing authorization vulnerability. This issue stems from incorrectly configured access control security levels, which fail to properly validate user permissions for certain functions or endpoints [1].

Exploitation

Method An attacker can exploit this vulnerability without authentication, as there is no nonce or capability check. By sending crafted requests, they can trigger privileged actions that should be restricted to higher-level users. The attack surface is exposed through the plugin's REST API or admin-ajax hooks, making it possible to target any WordPress site running the vulnerable version [1].

Impact

Successful exploitation allows an attacker to perform unauthorized actions, such as modifying site settings, accessing sensitive data, or escalating privileges. This can lead to complete site compromise if combined with other vulnerabilities. The plugin is often used in mass-exploit campaigns due to the low complexity of exploitation [1].

Mitigation

The vendor has not released a patch; users should update the plugin to the latest available version or remove it if no update is provided. As immediate action, deactivate the plugin and consult with a web developer to implement additional access controls. The vulnerability is tracked on Patchstack and may be added to CISA's KEV list [1].