CVE-2026-1890
Received Received - Intake
Unauthorized REST Access in LeadConnector Plugin Allows Data Overwrite

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: WPScan

Description
The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1890
EUVD
EUVD-2026-16124
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
leadconnector leadconnector to 3.0.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1890 affects the LeadConnector WordPress plugin versions prior to 3.0.22. The vulnerability exists because a REST API route in the plugin lacks proper authorization controls.

This means unauthenticated users can send POST requests to the route and overwrite existing data in the database.

Specifically, attackers can insert or modify entries in the wp_lc_custom_values table by submitting JSON data containing fields like fieldKey and id.

This vulnerability is classified as CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control.

Impact Analysis

This vulnerability allows unauthenticated attackers to overwrite existing data in the LeadConnector plugin's database.

Such unauthorized data modification can lead to data integrity issues, potential disruption of plugin functionality, and could be leveraged for further attacks depending on the data overwritten.

Because the attacker does not need to be authenticated, the risk of exploitation is higher.

Detection Guidance

This vulnerability can be detected by attempting to send an unauthorized POST request to the vulnerable REST API endpoint and then verifying if the data was inserted or modified in the database.

  • Send a POST request to the endpoint `/wp-json/lc_internal_api/v1/save_custom_values` with a JSON payload to try to insert or overwrite data.
  • Example curl command to test the vulnerability:

curl -X POST "http://localhost:10005/wp-json/lc_internal_api/v1/save_custom_values" -H "Content-Type: application/json" -d '{ "custom_values": [ { "fieldKey": "HACKED", "id": "1337" } ] }'

  • Verify the insertion by querying the database table `wp_lc_custom_values` for the test entry.

Example SQL query to verify:

SELECT * FROM wp_lc_custom_values WHERE field_key = 'HACKED';

If the query returns a row with `field_id` = `1337`, it confirms the vulnerability is present.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the LeadConnector WordPress plugin to version 3.0.22 or later, where the authorization issue in the REST route has been fixed.

Compliance Impact

The vulnerability in the LeadConnector WordPress plugin allows unauthenticated users to overwrite existing data via a REST API route lacking proper authorization. This unauthorized data modification can lead to data integrity issues and potential exposure or alteration of sensitive information.

Such unauthorized access and data manipulation can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and protection against unauthorized modification.

Specifically, GDPR mandates ensuring the integrity and confidentiality of personal data, and HIPAA requires safeguarding electronic protected health information (ePHI) against unauthorized alteration. This vulnerability undermines these requirements by enabling unauthorized data changes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart