{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68026", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:59.034Z", "datePublished": "2026-02-20T15:46:35.938Z", "dateUpdated": "2026-04-28T19:55:30.587Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ghl-wizard", "product": "LC Wizard", "vendor": "Niaj Morshed", "versions": [{"changes": [{"at": "2.1.2", "status": "unaffected"}], "lessThanOrEqual": "2.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:15.786Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects LC Wizard: from n/a through <= 2.1.1.</p>"}], "value": "Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:26.941Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ghl-wizard/vulnerability/wordpress-lc-wizard-plugin-2-1-0-settings-change-vulnerability?_s_id=cve"}], "title": "WordPress LC Wizard plugin <= 2.1.1 - Settings Change vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:32:12.471509Z", "id": "CVE-2025-68026", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:55:30.587Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-68026", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T21:32:12.471509Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:32:14.068Z"}}], "cna": {"title": "WordPress LC Wizard plugin <= 2.1.1 - Settings Change vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Niaj Morshed", "product": "LC Wizard", "versions": [{"status": "affected", "changes": [{"at": "2.1.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.1.1"}], "packageName": "ghl-wizard", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-20T16:44:00.565Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ghl-wizard/vulnerability/wordpress-lc-wizard-plugin-2-1-0-settings-change-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects LC Wizard: from n/a through <= 2.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-20T15:46:35.938Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68026", "state": "PUBLISHED", "dateUpdated": "2026-02-24T21:35:27.229Z", "dateReserved": "2025-12-15T10:00:59.034Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:35.938Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Niaj Morshed LC Wizard ghl-wizard permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a LC Wizard: desde n/a hasta &lt;= 2.1.1."}], "id": "CVE-2025-68026", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:07.780", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ghl-wizard/vulnerability/wordpress-lc-wizard-plugin-2-1-0-settings-change-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.1.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LC Wizard", "source": "cna", "vendor": "Niaj Morshed"}, "product": "lc_wizard", "vendor": "niaj_morshed"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:45:43.071511+00:00", "value": {"mitigation_remediation": ["Update LC Wizard to the latest version that fixes the missing authorization issue.", "Ensure that WordPress administrator accounts have strong, unique passwords and enable two\u2011factor authentication.", "Restrict administrative access to trusted users only and review user roles regularly.", "Monitor plugin configuration changes and alert on unauthorized modifications."], "summary": {"action": "Update plugin", "impact": "Authorization bypass allowing settings tampering"}, "threat_synthesis": {"affected_systems": "All installations of the Niaj Morshed LC Wizard plugin with a version equal to or older than 2.1.1 are vulnerable. The issue occurs in the plugin as distributed for WordPress and affects any site that has not applied a later update.", "description_and_impact": "Missing authorization in the LC Wizard plugin permits an attacker who can access the plugin\u2019s admin interface to change its configuration settings. This lack of proper access control enables an unauthorized user to alter or disable plugin features, potentially compromising the site\u2019s functionality and security.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, but the EPSS score of less than 1% suggests that the likelihood of automated exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the web interface exposed by WordPress, allowing remote exploitation without elevated privileges. An attacker with web access to the site could manipulate settings without proper authentication checks, thereby elevating privileges within the WordPress environment."}}}}, "created": "2026-02-23T14:45:46.404080+00:00", "updated": "2026-04-27T21:00:13.138564+00:00", "vendors": ["niaj_morshed", "niaj_morshed$PRODUCT$lc_wizard", "wordpress", "wordpress$PRODUCT$wordpress"]}