CVE-2026-1890 is a security vulnerability identified in the LeadConnector WordPress plugin, specifically in versions prior to 3.0.22. The root cause is a missing authorization check on a REST API route, classified under CWE-862 (Missing Authorization). This flaw allows unauthenticated users to invoke the vulnerable REST endpoint and overwrite existing data within the plugin's scope. Since the REST route lacks proper access control, an attacker can send crafted HTTP requests remotely without any credentials or user interaction, making exploitation straightforward. The vulnerability affects data integrity by enabling unauthorized modification of stored information but does not expose confidential data or disrupt service availability. The CVSS v3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, but integrity is compromised. No public exploits or active exploitation have been reported to date. The vulnerability was reserved in early February 2026 and published in late March 2026. The absence of a patch link suggests that users should verify plugin updates or vendor advisories to apply fixes promptly. This vulnerability is significant for any organization using LeadConnector on WordPress sites, especially those relying on the plugin for critical data management or customer interactions.

The primary impact of CVE-2026-1890 is unauthorized data modification within the LeadConnector plugin environment. Organizations using vulnerable versions risk attackers overwriting or corrupting data managed by the plugin, potentially leading to inaccurate business records, disrupted workflows, or loss of data integrity. While confidentiality and availability remain unaffected, the integrity compromise can have downstream effects such as erroneous customer information, misconfigured settings, or invalid lead data, which could degrade service quality or trustworthiness. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, increasing the likelihood of opportunistic attacks. However, the lack of known exploits and the medium severity rating suggest the threat is moderate but should not be ignored. Organizations with high reliance on LeadConnector for customer relationship management or lead tracking may experience operational disruptions or reputational damage if data is manipulated maliciously.

To mitigate CVE-2026-1890, organizations should immediately verify the LeadConnector plugin version installed on their WordPress sites and upgrade to version 3.0.22 or later where the authorization checks are implemented. If an upgrade is not immediately feasible, administrators should restrict access to the REST API endpoints by implementing web application firewall (WAF) rules that block unauthorized requests to LeadConnector routes. Additionally, monitoring REST API traffic for unusual or unauthorized modification attempts can help detect exploitation attempts early. Employing principle of least privilege on WordPress user roles and disabling unused REST API endpoints can reduce exposure. Regular backups of LeadConnector data are essential to recover from potential data corruption. Finally, organizations should stay informed through vendor advisories and security bulletins for any patches or additional mitigations.