CVE-2026-39664
Received Received - Intake
Missing Authorization in Leadrebel ≀1.0.2 Enables Unauthorized Access

Publication date: 2026-04-08

Last updated on: 2026-04-29

Assigner: Patchstack

Description
Missing Authorization vulnerability in leadrebel Leadrebel leadrebel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadrebel: from n/a through <= 1.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39664
EUVD
EUVD-2026-20337
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
leadrebel leadrebel to 1.0.2 (inc)
patchstack leadrebel to 1.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows unauthenticated users to perform privileged actions, potentially compromising the security of your website.

Although the CVSS severity score is 5.3, indicating low severity and low priority, it can still be exploited in mass-exploit campaigns targeting many websites indiscriminately.

No official patch is currently available, so immediate mitigation involves updating the plugin or seeking assistance from your hosting provider or web developer.

Executive Summary

CVE-2026-39664 is a Broken Access Control vulnerability in the WordPress Leadrebel Plugin versions up to and including 1.0.2.

This vulnerability involves missing authorization, authentication, or nonce token checks in certain functions, which means that unauthenticated users may be able to perform actions that normally require higher privileges.

It is classified under the OWASP Top 10 category A1: Broken Access Control.

Mitigation Strategies

The immediate mitigation involves updating the affected Leadrebel plugin to a version newer than 1.0.2 if available.

If updating is not possible, users are advised to seek assistance from their hosting provider or web developer to implement protective measures.

Patchstack also offers rapid vulnerability mitigation services that can help address this issue.

Compliance Impact

The vulnerability involves missing authorization and broken access control, which can allow unauthenticated users to perform actions requiring higher privileges. Such security weaknesses can potentially lead to unauthorized access to sensitive data or system functions.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that require strict access controls and protection of personal or sensitive data.

Detection Guidance

The vulnerability in the Leadrebel WordPress plugin involves missing authorization checks allowing unauthenticated users to perform privileged actions. Detection typically involves checking the plugin version and monitoring for unauthorized access attempts.

To detect if your system is vulnerable, first verify the installed version of the Leadrebel plugin. If it is version 1.0.2 or earlier, it is affected.

  • Check the plugin version via WP-CLI: wp plugin list | grep leadrebel
  • Search web server logs for suspicious requests targeting Leadrebel plugin endpoints that might indicate unauthorized access attempts.
  • Use network monitoring tools to detect unusual HTTP requests or POST actions to the plugin's functions without proper authentication.

Since no official patch is available, monitoring and restricting access to the plugin's endpoints is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39664. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart