Skip to main content

Leadlovers Forms EUVDEUVD-2026-20324

| CVE-2026-39657 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-j8hg-jwp2-x7f7
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20324
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2.

AnalysisAI

Leadlovers Forms WordPress plugin versions 1.0.2 and earlier allow unauthenticated remote attackers to bypass access controls and read sensitive information through incorrectly configured authorization checks. The vulnerability exposes confidential data without requiring authentication or user interaction, affecting the forms plugin deployed across WordPress installations. While the EPSS score of 0.02% suggests minimal exploitation probability, the unauthenticated attack vector and lack of user interaction make this a straightforward access control flaw that could enable information disclosure.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a foundational access control weakness where the leadlovers-forms plugin fails to properly validate user permissions before exposing sensitive functionality or data. The plugin likely lacks adequate capability checks (such as WordPress's current_user_can()) or role-based access controls on form-related endpoints or API calls, allowing unauthenticated network-based requests to retrieve restricted information. The WordPress plugin architecture relies on proper permission validation at multiple layers-database queries, REST API endpoints, AJAX handlers, and admin functions-and this vulnerability indicates a systematic gap in one or more of these layers.

RemediationAI

Users of Leadlovers Forms plugin should upgrade to a patched version released by Leadlovers after version 1.0.2 as soon as such a release becomes available. Check the official Leadlovers Forms plugin repository or vendor announcement for version numbers and upgrade instructions. In the interim, site administrators should restrict access to form administration pages through web server-level controls (IP whitelisting, authentication requirements) and review access logs for evidence of unauthorized data access. Patchstack's vulnerability database and advisory links provide monitoring and notification channels for when a patch is released.

Share

EUVD-2026-20324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy