{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1890", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-02-04T14:26:21.828Z", "datePublished": "2026-03-26T06:00:09.659Z", "dateUpdated": "2026-03-26T13:33:43.195Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-26T06:00:09.659Z"}, "title": "LeadConnector < 3.0.22 - Unauthenticated Rest Call", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "LeadConnector", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "3.0.22"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data"}], "references": [{"url": "https://wpscan.com/vulnerability/9b88be70-b5cc-4a3f-a871-64d61cb02076/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "yi\u011fit ibrahim sa\u011flam", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:33:31.155955Z", "id": "CVE-2026-1890", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:33:43.195Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1890", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:33:31.155955Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:33:40.576Z"}}], "cna": {"title": "LeadConnector < 3.0.22 - Unauthenticated Rest Call", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "yi\u011fit ibrahim sa\u011flam"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "LeadConnector", "versions": [{"status": "affected", "version": "0", "lessThan": "3.0.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/9b88be70-b5cc-4a3f-a871-64d61cb02076/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-26T06:00:09.659Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1890", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:33:43.195Z", "dateReserved": "2026-02-04T14:26:21.828Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-03-26T06:00:09.659Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data"}], "id": "CVE-2026-1890", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T07:16:19.907", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/9b88be70-b5cc-4a3f-a871-64d61cb02076/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.0.22)"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "LeadConnector", "source": "cna", "vendor": "Unknown"}, "product": "leadconnector", "vendor": "leadconnector"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T13:25:44.313534+00:00", "value": {"mitigation_remediation": ["Upgrade the LeadConnector plugin to version 3.0.22 or later.", "If an upgrade cannot be performed immediately, restrict access to the vulnerable REST endpoint using a firewall or a WordPress security plugin that limits API calls to authenticated users."], "summary": {"action": "Quick Patch", "impact": "Data tampering via unauthenticated REST endpoint"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the LeadConnector WordPress plugin for any installation running a version earlier than 3.0.22. No specific system denominations are listed, but any WordPress site that has the vulnerable plugin installed is affected.", "description_and_impact": "A WordPress plugin before version 3.0.22 allows any user to call a REST API route without authentication, enabling that user to overwrite existing data stored by the plugin. This lack of authorization can lead to loss of integrity for lead information, and if the overwritten data includes sensitive customer details, confidentiality may also be affected.", "risk_and_exploitability": "The security impact stems from an authentication bypass that permits attackers to execute the REST route unconditionally. Since the route is exposed over standard HTTP/HTTPS, an attacker only needs network access to the WordPress site's public server and the knowledge of the endpoint URL. No additional exploitation skills or exploit code are described. The Common Vulnerability Scoring System score is not provided, and EPSS data is unavailable; however, the ability to modify stored data without authentication indicates a moderate to high risk, especially for sites where lead data is critical."}}}}, "created": "2026-03-26T11:30:20.434510+00:00", "updated": "2026-03-26T13:54:55.932399+00:00", "vendors": ["leadconnector", "leadconnector$PRODUCT$leadconnector", "wordpress", "wordpress$PRODUCT$wordpress"]}