CVE-2026-1890

LeadConnector < 3.0.22 - Missing Authorization

mediumMissing Authorization

5.3

CVSS Score

5.3

CVSS Score

medium

Severity

3.0.22

Patched in

11d

Time to patch

Description

The LeadConnector plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 3.0.22 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<3.0.22

PublishedMarch 30, 2026

Last updatedApril 9, 2026

Affected pluginleadconnector

What Changed in the Fix

Changes introduced in v3.0.22

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v3.0.21

Browse source Download .zip

Patched v3.0.22

Browse source Download .zip

Research Plan

Unverified

## Vulnerability Research Plan: CVE-2026-1890 (LeadConnector Missing Authorization) ### 1. Vulnerability Summary The **LeadConnector** plugin (versions < 3.0.22) contains a missing authorization vulnerability. Specifically, an AJAX handler or a frontend request processor (triggered via query variab…

Show full research plan

Vulnerability Research Plan: CVE-2026-1890 (LeadConnector Missing Authorization)

1. Vulnerability Summary

The LeadConnector plugin (versions < 3.0.22) contains a missing authorization vulnerability. Specifically, an AJAX handler or a frontend request processor (triggered via query variables) fails to perform a capability check (e.g., current_user_can('manage_options')) before executing a privileged action. This allows unauthenticated attackers to perform unauthorized actions, such as purging the plugin's CDN cache or potentially modifying plugin settings.

Based on the source code provided and the CVSS vector (5.3 - Integrity Low), the most likely vulnerable function is an AJAX action related to CDN Cache Purging or the processing of the lc_code query variable used for OAuth-like handshakes.

2. Attack Vector Analysis

Endpoint: /wp-admin/admin-ajax.php
Action: lc_purge_cache (inferred from admin/app.js and changelog)
Alternative Endpoint: Homepage GET request with query variables (/?lc_code=...)
Authentication: None required (unauthenticated).
Preconditions: The plugin must be active. For the cache purge, settings related to the CDN might need to be "visible" (as per changelog 3.0.19).

3. Code Flow

**Entry

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/21552524-9f3f-4ef1-b8bc-9eb6ebfaac12?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database