CVE-2026-39664
Missing Authorization in Leadrebel β€1.0.2 Enables Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leadrebel | leadrebel | to 1.0.2 (inc) |
| patchstack | leadrebel | to 1.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows unauthenticated users to perform privileged actions, potentially compromising the security of your website.
Although the CVSS severity score is 5.3, indicating low severity and low priority, it can still be exploited in mass-exploit campaigns targeting many websites indiscriminately.
No official patch is currently available, so immediate mitigation involves updating the plugin or seeking assistance from your hosting provider or web developer.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation involves updating the affected Leadrebel plugin to a version newer than 1.0.2 if available.
If updating is not possible, users are advised to seek assistance from their hosting provider or web developer to implement protective measures.
Patchstack also offers rapid vulnerability mitigation services that can help address this issue.
Can you explain this vulnerability to me?
CVE-2026-39664 is a Broken Access Control vulnerability in the WordPress Leadrebel Plugin versions up to and including 1.0.2.
This vulnerability involves missing authorization, authentication, or nonce token checks in certain functions, which means that unauthenticated users may be able to perform actions that normally require higher privileges.
It is classified under the OWASP Top 10 category A1: Broken Access Control.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves missing authorization and broken access control, which can allow unauthenticated users to perform actions requiring higher privileges. Such security weaknesses can potentially lead to unauthorized access to sensitive data or system functions.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that require strict access controls and protection of personal or sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in the Leadrebel WordPress plugin involves missing authorization checks allowing unauthenticated users to perform privileged actions. Detection typically involves checking the plugin version and monitoring for unauthorized access attempts.
To detect if your system is vulnerable, first verify the installed version of the Leadrebel plugin. If it is version 1.0.2 or earlier, it is affected.
- Check the plugin version via WP-CLI: wp plugin list | grep leadrebel
- Search web server logs for suspicious requests targeting Leadrebel plugin endpoints that might indicate unauthorized access attempts.
- Use network monitoring tools to detect unusual HTTP requests or POST actions to the plugin's functions without proper authentication.
Since no official patch is available, monitoring and restricting access to the plugin's endpoints is recommended.