{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25441", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:40.964Z", "datePublished": "2026-02-19T08:27:08.043Z", "dateUpdated": "2026-04-28T16:14:59.041Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "leadconnector", "product": "LeadConnector", "vendor": "varunvairavanlc", "versions": [{"changes": [{"at": "3.0.22", "status": "unaffected"}], "lessThanOrEqual": "3.0.21", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "YOUSEF MISHAAL ALI | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:33.029Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in varunvairavanlc LeadConnector leadconnector allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects LeadConnector: from n/a through <= 3.0.21.</p>"}], "value": "Missing Authorization vulnerability in varunvairavanlc LeadConnector leadconnector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LeadConnector: from n/a through <= 3.0.21."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.041Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/leadconnector/vulnerability/wordpress-leadconnector-plugin-3-0-21-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress LeadConnector plugin <= 3.0.21 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:00:15.135332Z", "id": "CVE-2026-25441", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:42:34.930Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25441", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:00:15.135332Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:00:02.556Z"}}], "cna": {"title": "WordPress LeadConnector plugin <= 3.0.21 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "YOUSEF MISHAAL ALI | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "varunvairavanlc", "product": "LeadConnector", "versions": [{"status": "affected", "changes": [{"at": "3.0.22", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.0.21"}], "packageName": "leadconnector", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:33.029Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/leadconnector/vulnerability/wordpress-leadconnector-plugin-3-0-21-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in varunvairavanlc LeadConnector leadconnector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LeadConnector: from n/a through <= 3.0.21.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in varunvairavanlc LeadConnector leadconnector allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects LeadConnector: from n/a through <= 3.0.21.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.041Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25441", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:59.041Z", "dateReserved": "2026-02-02T12:53:40.964Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:08.043Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in varunvairavanlc LeadConnector leadconnector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LeadConnector: from n/a through <= 3.0.21."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en LeadConnector LeadConnector leadconnector permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a LeadConnector: desde n/a hasta &lt;= 3.0.21."}], "id": "CVE-2026-25441", "lastModified": "2026-04-23T15:37:10.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:24.440", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/leadconnector/vulnerability/wordpress-leadconnector-plugin-3-0-21-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.21]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.0.22"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LeadConnector", "source": "cna", "vendor": "LeadConnector"}, "product": "leadconnector", "vendor": "leadconnector"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:42:59.980610+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of LeadConnector newer than 3.0.21, if a fix is available from the vendor.", "If an upgrade is not possible, restrict access to the plugin by limiting WordPress administrator rights or disabling the plugin for non\u2011trusted accounts.", "Perform a review of WordPress user roles, remove unnecessary administrator accounts, and enforce least privilege to mitigate potential exploitation."], "summary": {"action": "Upgrade Plugin", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "LeadConnector plugin for WordPress, versions up to and including 3.0.21 are vulnerable. All installations of the plugin within that version range are susceptible regardless of configuration settings.", "description_and_impact": "The vulnerability is a missing authorization flaw in the LeadConnector plugin for WordPress, allowing attackers to exploit incorrectly configured access control levels. This results in broken access control, enabling unauthorized users to read or modify data managed by the plugin. It is classified as CWE-862, indicating that the system does not enforce proper access checks.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity; the EPSS score is below 1\u202f%, suggesting low current exploitation likelihood. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers could target the plugin via the WordPress administrative interface, potentially requiring authentication or exploiting default credentials. The lack of explicit authorization checks implies that users with any authenticated role that can access the plugin could potentially perform privileged actions, so the attack vector is likely a web\u2011based exploitation path within the WordPress environment."}}}}, "created": "2026-02-20T10:08:14.492896+00:00", "updated": "2026-04-28T17:45:16.143407+00:00", "vendors": ["leadconnector", "leadconnector$PRODUCT$leadconnector", "wordpress", "wordpress$PRODUCT$wordpress"]}