LeadConnector WP Plugin v<=1.7: Unauth Deletion via lc_public_api_proxy()
CVE-2024-1371 Published on April 30, 2024

LeadConnector <= 1.7 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lc_public_api_proxy() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts. CVE-2024-34378 is likely a duplicate of this issue.

NVD

Timeline

2024-04-29

Disclosed

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2024-1371 has been classified to as an AuthZ vulnerability or weakness.

Products Associated with CVE-2024-1371

Want to know whenever a new CVE is published for WordPress Leadconnector? stack.watch will email you.

WordPress Leadconnector

Affected Versions

varunvairavanlc LeadConnector:

Before and including 1.7 is affected.

wordpress leadconnector:

Version -, <= 1.7 is affected.

Exploit Probability

EPSS

0.10%

Percentile

26.64%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.