{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39657", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:53.260Z", "datePublished": "2026-04-08T08:30:36.400Z", "dateUpdated": "2026-04-09T15:09:02.125Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "leadlovers-forms", "product": "leadlovers forms", "vendor": "leadlovers", "versions": [{"lessThanOrEqual": "1.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:39.994Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects leadlovers forms: from n/a through <= 1.0.2.</p>"}], "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:36.400Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/leadlovers-forms/vulnerability/wordpress-leadlovers-forms-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:06:45.962756Z", "id": "CVE-2026-39657", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:09:02.125Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39657", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:06:45.962756Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:05:45.433Z"}}], "cna": {"title": "WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "leadlovers", "product": "leadlovers forms", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.2"}], "packageName": "leadlovers-forms", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:39.994Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/leadlovers-forms/vulnerability/wordpress-leadlovers-forms-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects leadlovers forms: from n/a through <= 1.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:36.400Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39657", "state": "PUBLISHED", "dateUpdated": "2026-04-09T15:09:02.125Z", "dateReserved": "2026-04-07T10:57:53.260Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:36.400Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2."}], "id": "CVE-2026-39657", "lastModified": "2026-04-09T16:16:30.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:36.840", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/leadlovers-forms/vulnerability/wordpress-leadlovers-forms-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "leadlovers forms", "source": "cna", "vendor": "leadlovers"}, "product": "leadlovers_forms", "vendor": "leadlovers"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:04:25.608463+00:00", "value": {"mitigation_remediation": ["Upgrade the Leadlovers Forms plugin to a version newer than\u202f1.0.2 or apply the vendor\u2019s patch if available.", "If an update is not immediately possible, restrict access to the plugin\u2019s administrative pages to trusted user roles or disable the plugin for untrusted accounts."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized access to restricted functionality"}, "threat_synthesis": {"affected_systems": "The Leadlovers Forms plugin, a WordPress extension, is affected. All releases up to and including version\u202f1.0.2 are vulnerable. Users deploying these versions should verify compatibility and apply updates.", "description_and_impact": "This vulnerability is a missing authorization flaw in the Leadlovers Forms plugin for WordPress. Exploiting incorrectly configured access control, an attacker can gain access to or manipulate content that should only be available to authorized users. The weakness is identified as CWE\u2011862, indicating that the plugin fails to enforce proper permissions, leading to potential unauthorized data exposure or modification.", "risk_and_exploitability": "The CVSS score is not provided, but missing authorization generally represents a high-impact risk. There is no EPSS data and the issue is not listed in CISA\u2019s KEV catalog, so the likelihood of widespread exploitation is uncertain. Based on the description, the likely attack vector is through the plugin\u2019s web interface, where authenticated users or also unauthenticated users may trigger restricted actions."}}}}, "created": "2026-04-08T19:28:16.140164+00:00", "updated": "2026-04-08T19:41:19.198650+00:00", "vendors": ["leadlovers", "leadlovers$PRODUCT$leadlovers_forms", "wordpress", "wordpress$PRODUCT$wordpress"]}