CVE-2026-1890 | THREATINT

Description

The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data

PUBLISHED Reserved 2026-02-04 | Published 2026-03-26 | Updated 2026-03-26 | Assigner WPScan

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

Any version before 3.0.22

affected

Credits

yiğit ibrahim sağlam finder

WPScan coordinator

References

wpscan.com/...rability/9b88be70-b5cc-4a3f-a871-64d61cb02076/ exploit vdb-entry technical-description

cve.org (CVE-2026-1890)

nvd.nist.gov (CVE-2026-1890)

Download JSON