CVE-2026-1890 PUBLISHED

LeadConnector < 3.0.22 - Unauthenticated Rest Call

Assigner: WPScan
Reserved: 04.02.2026 Published: 26.03.2026 Updated: 26.03.2026

The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data

Product Status

Vendor	Unknown
Product	LeadConnector
Versions	Default: unaffected affected from 0 to 3.0.22 (excl.)

Credits

yiğit ibrahim sağlam finder
WPScan coordinator

References

https://wpscan.com/vulnerability/9b88be70-b5cc-4a3f-a871-64d61cb02076/

Problem Types

CWE-862 Missing Authorization CWE