{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39657", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:53.260Z", "datePublished": "2026-04-08T08:30:36.400Z", "dateUpdated": "2026-04-29T09:52:03.868Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "leadlovers-forms", "product": "leadlovers forms", "vendor": "leadlovers", "versions": [{"lessThanOrEqual": "1.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:39.994Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects leadlovers forms: from n/a through <= 1.0.2.</p>"}], "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:03.868Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/leadlovers-forms/vulnerability/wordpress-leadlovers-forms-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:06:45.962756Z", "id": "CVE-2026-39657", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:09:02.125Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39657", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:06:45.962756Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:05:45.433Z"}}], "cna": {"title": "WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "leadlovers", "product": "leadlovers forms", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.2"}], "packageName": "leadlovers-forms", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:39.994Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/leadlovers-forms/vulnerability/wordpress-leadlovers-forms-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects leadlovers forms: from n/a through <= 1.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:36.400Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39657", "state": "PUBLISHED", "dateUpdated": "2026-04-09T15:09:02.125Z", "dateReserved": "2026-04-07T10:57:53.260Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:36.400Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2."}], "id": "CVE-2026-39657", "lastModified": "2026-04-29T10:17:36.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:36.840", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/leadlovers-forms/vulnerability/wordpress-leadlovers-forms-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "leadlovers forms", "source": "cna", "vendor": "leadlovers"}, "product": "leadlovers_forms", "vendor": "leadlovers"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T17:07:31.676581+00:00", "value": {"mitigation_remediation": ["Update the leadlovers forms plugin to version 1.0.3 or later if an update is available.", "If no update is available, deactivate or delete the plugin to eliminate the attack surface.", "Verify that user roles and permissions are correctly configured and that remaining form endpoints enforce proper authentication checks.", "Monitor vendor advisories and apply future security patches promptly."], "summary": {"action": "Patch", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "This issue affects installations of the leadlovers forms plugin for WordPress with version numbers up to and including 1.0.2. Any WordPress site that has this plugin enabled in that version range is vulnerable, regardless of how the site is accessed.", "description_and_impact": "A missing authorization check in the leadlovers forms plugin allows attackers to access or alter administrative settings and form data without proper permission. This broken access control can lead to data exposure, unauthorized modifications of form behavior, or the use of the site as a platform for further attacks. The weakness is classified as CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a web-based request that bypasses missing access controls; this is inferred from the description of a missing authorization check. No additional prerequisites are noted, so any authenticated user with access to the site could potentially exploit the flaw through crafted requests."}}}}, "created": "2026-04-08T19:28:16.140164+00:00", "updated": "2026-04-10T09:40:41.719088+00:00", "vendors": ["leadlovers", "leadlovers$PRODUCT$leadlovers_forms", "wordpress", "wordpress$PRODUCT$wordpress"]}