CVE-2026-1890
Unauthorized REST Access in LeadConnector Plugin Allows Data Overwrite
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leadconnector | leadconnector | to 3.0.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1890 affects the LeadConnector WordPress plugin versions prior to 3.0.22. The vulnerability exists because a REST API route in the plugin lacks proper authorization controls.
This means unauthenticated users can send POST requests to the route and overwrite existing data in the database.
Specifically, attackers can insert or modify entries in the wp_lc_custom_values table by submitting JSON data containing fields like fieldKey and id.
This vulnerability is classified as CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to overwrite existing data in the LeadConnector plugin's database.
Such unauthorized data modification can lead to data integrity issues, potential disruption of plugin functionality, and could be leveraged for further attacks depending on the data overwritten.
Because the attacker does not need to be authenticated, the risk of exploitation is higher.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to send an unauthorized POST request to the vulnerable REST API endpoint and then verifying if the data was inserted or modified in the database.
- Send a POST request to the endpoint `/wp-json/lc_internal_api/v1/save_custom_values` with a JSON payload to try to insert or overwrite data.
- Example curl command to test the vulnerability:
curl -X POST "http://localhost:10005/wp-json/lc_internal_api/v1/save_custom_values" -H "Content-Type: application/json" -d '{ "custom_values": [ { "fieldKey": "HACKED", "id": "1337" } ] }'
- Verify the insertion by querying the database table `wp_lc_custom_values` for the test entry.
Example SQL query to verify:
SELECT * FROM wp_lc_custom_values WHERE field_key = 'HACKED';
If the query returns a row with `field_id` = `1337`, it confirms the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the LeadConnector WordPress plugin to version 3.0.22 or later, where the authorization issue in the REST route has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the LeadConnector WordPress plugin allows unauthenticated users to overwrite existing data via a REST API route lacking proper authorization. This unauthorized data modification can lead to data integrity issues and potential exposure or alteration of sensitive information.
Such unauthorized access and data manipulation can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and protection against unauthorized modification.
Specifically, GDPR mandates ensuring the integrity and confidentiality of personal data, and HIPAA requires safeguarding electronic protected health information (ePHI) against unauthorized alteration. This vulnerability undermines these requirements by enabling unauthorized data changes.