CVE-2026-39657
Missing Authorization in Leadlovers Forms Allows Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leadlovers | leadlovers_forms | to 1.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39657 is a Broken Access Control vulnerability in the WordPress leadlovers forms plugin versions up to and including 1.0.2. It occurs due to missing authorization, authentication, or nonce token checks, which allows unauthenticated users to perform actions that should be restricted to higher privileged users.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to perform privileged actions on a website using the affected leadlovers forms plugin. Although the CVSS score is 5.3, indicating a low severity impact, exploitation could lead to unauthorized access or changes within the plugin's functionality. However, it is considered unlikely to be exploited with significant effect.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to missing authorization checks in the leadlovers forms WordPress plugin up to version 1.0.2, allowing unauthorized users to perform privileged actions.
Detection typically involves verifying the plugin version installed on your WordPress site and checking for unauthorized access attempts or actions that should require higher privileges.
You can detect the presence of the vulnerable plugin version by running commands to list installed WordPress plugins and their versions, for example:
- Using WP-CLI: wp plugin list | grep leadlovers-forms
- Manually checking the plugin version in the WordPress admin dashboard under Plugins.
To detect exploitation attempts, review web server logs for suspicious requests targeting leadlovers forms endpoints or actions that should require authentication.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the leadlovers forms plugin to a non-vulnerable version if an update is available.
Since no official patch is currently available for this vulnerability, if updating is not possible, users should seek assistance from their hosting provider or web developer to implement access control restrictions or other protective measures.
Additionally, consider using security services such as those offered by Patchstack for rapid vulnerability mitigation and enhanced protection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-39657 vulnerability is a Broken Access Control issue in the leadlovers forms WordPress plugin, allowing unauthorized users to perform actions reserved for higher privileged users.
Such missing authorization vulnerabilities can potentially lead to unauthorized access to sensitive data or functionality, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls and protection of personal or sensitive information.
However, the vulnerability is rated with a low severity CVSS score of 5.3 and is considered unlikely to be exploited with significant effect, which may reduce the immediate compliance risk.
No official patch is currently available, so mitigation involves updating the plugin when possible or seeking assistance from hosting providers or developers to reduce risk.