Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2.
AnalysisAI
Leadlovers Forms WordPress plugin versions 1.0.2 and earlier allow unauthenticated remote attackers to bypass access controls and read sensitive information through incorrectly configured authorization checks. The vulnerability exposes confidential data without requiring authentication or user interaction, affecting the forms plugin deployed across WordPress installations. While the EPSS score of 0.02% suggests minimal exploitation probability, the unauthenticated attack vector and lack of user interaction make this a straightforward access control flaw that could enable information disclosure.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a foundational access control weakness where the leadlovers-forms plugin fails to properly validate user permissions before exposing sensitive functionality or data. The plugin likely lacks adequate capability checks (such as WordPress's current_user_can()) or role-based access controls on form-related endpoints or API calls, allowing unauthenticated network-based requests to retrieve restricted information. The WordPress plugin architecture relies on proper permission validation at multiple layers-database queries, REST API endpoints, AJAX handlers, and admin functions-and this vulnerability indicates a systematic gap in one or more of these layers.
RemediationAI
Users of Leadlovers Forms plugin should upgrade to a patched version released by Leadlovers after version 1.0.2 as soon as such a release becomes available. Check the official Leadlovers Forms plugin repository or vendor announcement for version numbers and upgrade instructions. In the interim, site administrators should restrict access to form administration pages through web server-level controls (IP whitelisting, authentication requirements) and review access logs for evidence of unauthorized data access. Patchstack's vulnerability database and advisory links provide monitoring and notification channels for when a patch is released.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20324
GHSA-j8hg-jwp2-x7f7