Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in leadrebel Leadrebel leadrebel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadrebel: from n/a through <= 1.0.2.
AnalysisAI
Leadrebel plugin version 1.0.2 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, exposing confidential data without authorization. The vulnerability stems from missing authorization checks on functionality that should be restricted, enabling attackers to bypass authentication mechanisms and retrieve non-public information. While the CVSS score is moderate (5.3) and real-world exploitation probability is low (EPSS 0.02%), the issue represents a fundamental authentication bypass in access control logic.
Technical ContextAI
This vulnerability is rooted in CWE-862 (Missing Authorization), a foundational access control flaw where the application fails to verify that users are authorized before granting access to sensitive functions or data. The Leadrebel plugin, identified via CPE cpe:2.3:a:leadrebel:leadrebel:*:*:*:*:*:*:*:*, implements web APIs or endpoints that process requests without proper authorization decorators or middleware checks. The CVSS vector indicates unauthenticated network-based access (AV:N/AC:L/PR:N/UI:N), meaning an attacker can exploit this directly over HTTP/HTTPS without credentials, user interaction, or elevated privileges. The confidentiality impact (C:L) confirms information disclosure rather than data modification or system unavailability, suggesting attackers can view restricted data such as lead records, configuration details, or user information.
RemediationAI
Update Leadrebel to a version newer than 1.0.2 immediately. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/leadrebel/vulnerability/wordpress-leadrebel-plugin-1-0-2-broken-access-control-vulnerability) for confirmation of the patched release version and installation instructions. As an interim mitigation while awaiting or testing an update, restrict network access to the Leadrebel plugin endpoints using Web Application Firewall (WAF) rules or access control lists (ACLs) to limit exposure only to trusted internal networks or known authorized users. Additionally, review server logs for suspicious unauthenticated requests to Leadrebel API endpoints or admin functions to determine if the vulnerability has been exploited.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20337
GHSA-vcv7-hm7p-jvh2