WP-Safety

Connector Wizard (formerly LC Wizard) Security & Risk Analysis

wordpress.org/plugins/ghl-wizard

Connect WordPress with LeadConnector CRM to automate memberships, content protection, WooCommerce, and more for a seamless and powerful experience.

900 active installs v2.2.0 PHP 7.4+ WP 6.2+ Updated Mar 14, 2026
automationhighlevellead-connectormembership-pluginwoocommerce
71
B · Generally Safe
CVEs total3
Unpatched1
Last CVEFeb 5, 2026
Plugin page Download
Safety Verdict

Is Connector Wizard (formerly LC Wizard) Safe to Use in 2026?

Mostly Safe

Score 71/100

Connector Wizard (formerly LC Wizard) is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Feb 5, 2026Updated 20d ago
Risk Assessment

The ghl-wizard plugin v2.2.1 presents a moderate security risk. While it demonstrates some good security practices, such as a high percentage of SQL queries using prepared statements and a substantial number of capability checks, several significant concerns exist. The presence of two AJAX handlers without authentication checks provides a direct avenue for potential unauthorized actions. Additionally, the plugin has a history of three disclosed CVEs, with one high-severity and two medium-severity vulnerabilities still outstanding, indicating a recurring pattern of security weaknesses. The last reported vulnerability in 2026 suggests potential ongoing security issues that may not have been addressed.

Further analysis reveals potential for vulnerabilities. The use of the `unserialize` function, a known dangerous function, is flagged, although no critical or high-severity taint flows were detected in the analyzed sample. The existence of unsanitized paths in taint flows, coupled with a history of Cross-site Scripting (XSS) and Missing Authorization vulnerabilities, suggests that user-supplied input might not always be handled securely. The attack surface is moderately large with 20 entry points, two of which are unprotected, increasing the overall exposure.

In conclusion, while the plugin incorporates some security measures, the combination of unprotected entry points, a history of significant vulnerabilities, and the presence of dangerous functions warrants caution. The ongoing unpatched vulnerability and the pattern of past issues suggest a need for thorough code review and prompt patching to mitigate risks.

Key Concerns

  • Unpatched CVE (High Severity)
  • Unpatched CVE (Medium Severity)
  • Unpatched CVE (Medium Severity)
  • Unprotected AJAX handlers
  • Use of 'unserialize' function
  • Unsanitized paths in taint flows
  • Bundled library 'Select2' (potential outdated)
Vulnerabilities
3

Connector Wizard (formerly LC Wizard) Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2025-68026medium · 5.3Missing Authorization

LC Wizard <= 2.1.1 - Missing Authorization to Unauthenticated Settings Update

Feb 5, 2026 Patched in 2.1.2 (5d)
CVE-2025-5483high · 8.1Missing Authorization

LC Wizard 1.2.10 - 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation

Nov 6, 2025 Patched in 1.4.0 (1d)
CVE-2025-58237medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LC Wizard <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Connector Wizard (formerly LC Wizard) Code Analysis

Dangerous Functions
7
Raw SQL Queries
5
25 prepared
Unescaped Output
28
84 escaped
Nonce Checks
3
Capability Checks
25
File Operations
1
External Requests
20
Bundled Libraries
1

Dangerous Functions Found

unserialize$existing_tags = unserialize( $existing_tags );api\contacts.php:127
unserialize$existing_tags = unserialize( $existing_tags );api\contacts.php:187
unserialize$tags = unserialize( lcw_get_contact_tags_by_wp_id ( $user->ID ) );api\contacts.php:262
unserialize$user_tags = unserialize (lcw_get_contact_tags_by_wp_id( $user_id ));inc\content-protection.php:601
unserialize$parent_tags = unserialize (lcw_get_contact_tags_by_wp_id( $parent_user_id ));inc\content-protection.php:606
unserialize$has_not_access = ( ! empty( $has_not_access ) ) ? unserialize ( $has_not_access ) : [];inc\content-protection.php:696
unserializereturn unserialize( $user_data->tags );inc\wp_user.php:687

Bundled Libraries

Select2

SQL Query Safety

83% prepared30 total queries

Output Escaping

75% escaped112 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths
hlwpw_single_product_settings_fields (inc\product-page-settings.php:20)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Connector Wizard (formerly LC Wizard) Attack Surface

Entry Points20
Unprotected2

AJAX Handlers 3

authwp_ajax_lcw_reset_password_ajaxinc\utility.php:51
authwp_ajax_lcw_auto_login_ajaxinc\utility.php:164
noprivwp_ajax_lcw_auto_login_ajaxinc\utility.php:165

REST API Routes 11

GET/wp-json/connector-wizard/v1/settingsinc\rest-api.php:39
POST/wp-json/connector-wizard/v1/settingsinc\rest-api.php:48
GET/wp-json/connector-wizard/v1/location-tagsinc\rest-api.php:57
GET/wp-json/connector-wizard/v1/associationsinc\rest-api.php:66
GET/wp-json/connector-wizard/v1/refresh-datainc\rest-api.php:75
GET/wp-json/connector-wizard/v1/sync-datainc\rest-api.php:84
POST/wp-json/connector-wizard/v1/membershipsinc\rest-api.php:214
PUT/wp-json/connector-wizard/v1/memberships/(?P<id>[a-zA-Z0-9\-_]+)inc\rest-api.php:224
GET/wp-json/connector-wizard/v1/memberships/(?P<id>[a-zA-Z0-9\-_]+)inc\rest-api.php:234
GET/wp-json/connector-wizard/v1/membershipsinc\rest-api.php:243
DELETE/wp-json/connector-wizard/v1/memberships/(?P<id>[a-zA-Z0-9\-_]+)inc\rest-api.php:252

Shortcodes 6

[lcw_custom_value] inc\shortcodes.php:42
[lcw_contact_sync] inc\shortcodes.php:60
[gw_custom_value] inc\shortcodes.php:104
[lcw_post_grid] inc\shortcodes.php:210
[lcw_redirect] inc\shortcodes.php:261
[lcw_reset_password] inc\shortcodes.php:338
WordPress Hooks 48
actionshow_user_profileapi\contacts.php:277
actionedit_user_profileapi\contacts.php:278
actioninitapi\get-token.php:3
actioninitapi\get-token.php:45
actionwp_enqueue_scriptsghl-wizard.php:59
actionadmin_enqueue_scriptsghl-wizard.php:73
actionadmin_noticesghl-wizard.php:81
actiontemplate_redirectinc\content-protection.php:295
actionpost_updatedinc\content-protection.php:308
actioninitinc\content-protection.php:534
filterwp_get_nav_menu_itemsinc\content-protection.php:732
actionelementor/element/container/section_layout/after_section_endinc\elementor.php:18
actionelementor/element/column/section_advanced/after_section_endinc\elementor.php:19
actionelementor/element/section/section_advanced/after_section_endinc\elementor.php:20
actionelementor/element/common/_section_style/after_section_endinc\elementor.php:21
actionelementor/editor/after_enqueue_scriptsinc\elementor.php:23
filtershow_admin_barinc\filters.php:17
actionwp_logininc\filters.php:41
actionwp_logoutinc\filters.php:61
actionplugins_loadedinc\includes.php:14
actionadmin_menuinc\metaboxes.php:9
actionsave_postinc\metaboxes.php:10
filterwoocommerce_product_data_tabsinc\product-page-settings.php:14
actionwoocommerce_product_data_panelsinc\product-page-settings.php:85
actionwoocommerce_process_product_meta_simpleinc\product-page-settings.php:107
actionwoocommerce_process_product_meta_variableinc\product-page-settings.php:108
actionwoocommerce_product_after_variable_attributesinc\product-page-settings.php:285
actionwoocommerce_admin_process_variation_objectinc\product-page-settings.php:295
actionrest_api_initinc\rest-api.php:92
actionrest_api_initinc\rest-api.php:260
actionadmin_menuinc\settings-page.php:8
actionadmin_enqueue_scriptsinc\settings-page.php:10
actionadmin_menuinc\settings-page.php:12
actionadmin_headinc\settings-page.php:14
actioninitinc\utility.php:6
actionplugins_loadedinc\utility.php:366
actioninitinc\utility.php:527
actioninitinc\utility.php:533
actionwp_footerinc\utility.php:566
actiondelete_userinc\utility.php:688
actionwoocommerce_order_status_changedinc\woo.php:155
actionwoocommerce_order_status_changedinc\woo.php:216
actionwp_logininc\wp_user.php:93
actionuser_registerinc\wp_user.php:236
actionprofile_updateinc\wp_user.php:237
actioninitinc\wp_user.php:338
actioninitinc\wp_user.php:342
actionlcw_wp_user_data_updatedinc\wp_user.php:742
Maintenance & Trust

Connector Wizard (formerly LC Wizard) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 14, 2026
PHP min version7.4
Downloads40K

Community Trust

Rating86/100
Number of ratings6
Active installs900
Alternatives

Connector Wizard (formerly LC Wizard) Alternatives

GHL Connect for WooCommerce

GHL Connect for WooCommerce

ghl-connect

A
100

GHL Connect for WooCommerce is a plugin that connects the WordPress/WooCommerce with Go High Level CRM.

300 No CVEs
GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM

GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM

go-high-level-extension-for-gravity-form

A
100

This Gravity Forms extension seamlessly syncs with GoHighLevel CRM for streamlined lead management and enhanced follow-up.

600 No CVEs
GHL Contact Form 7 Bridge – Send Contact Form 7 leads to GHL CRM

GHL Contact Form 7 Bridge – Send Contact Form 7 leads to GHL CRM

go-high-level-extension-for-contact-form7

A
100

This Contact Form 7 extension seamlessly syncs with GoHighLevel CRM for streamlined lead management and enhanced follow-up.

300 No CVEs
MailPoet – Newsletters, Email Marketing, and Automation

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

A
98

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs
MailerLite – WooCommerce integration

MailerLite – WooCommerce integration

woo-mailerlite

A
93

Powerful e-commerce email marketing tools that are easy to use. Grow your store with automated emails, pop-ups, product blocks, sales tracking + more.

30K 4 CVEs
Developer Profile

Connector Wizard (formerly LC Wizard) Developer Profile

Niaj Morshed

4 plugins · 2K total installs

91
trust score
Avg Security Score
87/100
Avg Patch Time
3 days
View full developer profile
Detection Fingerprints

How We Detect Connector Wizard (formerly LC Wizard)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ghl-wizard/css/styles.css/wp-content/plugins/ghl-wizard/js/scripts.js/wp-content/plugins/ghl-wizard/js/autologin.js/wp-content/plugins/ghl-wizard/js/select2.min.js/wp-content/plugins/ghl-wizard/js/admin-scripts.js/wp-content/plugins/ghl-wizard/css/select2.min.css/wp-content/plugins/ghl-wizard/css/admin-styles.css
Script Paths
/wp-content/plugins/ghl-wizard/js/scripts.js/wp-content/plugins/ghl-wizard/js/autologin.js/wp-content/plugins/ghl-wizard/js/select2.min.js/wp-content/plugins/ghl-wizard/js/admin-scripts.js
Version Parameters
ghl-wizard/css/styles.css?ver=ghl-wizard/js/scripts.js?ver=ghl-wizard/js/autologin.js?ver=ghl-wizard/js/select2.min.js?ver=ghl-wizard/js/admin-scripts.js?ver=ghl-wizard/css/select2.min.css?ver=ghl-wizard/css/admin-styles.css?ver=

HTML / DOM Fingerprints

CSS Classes
lcw-app-root
Data Attributes
id="lcw-app-root"
JS Globals
hlwpw_ajaxConnectorWizardApp
FAQ

Frequently Asked Questions about Connector Wizard (formerly LC Wizard)