Unauthenticated Arbitrary Post Deletion Vulnerability Patched in LeadConnector WordPress Plugin

On February 8th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an Arbitrary Post Deletion vulnerability in LeadConnector, a WordPress plugin with more than 20,000 active installations. This vulnerability could be used by unauthenticated attackers to delete arbitrary posts or pages.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $197.00 for this discovery during our Bug Bounty Program Extravaganza.

Wordfence PremiumWordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 9, 2024. Sites using the free version of Wordfence received the same protection on March 10, 2024.

Wordfence contacted the LeadConnector Team on February 8, 2024. After not receiving a reply they escalated the issue to the WordPress.org Security Team on March 8, 2024. After that, the developer released a patch on April 23, 2024.

We urge users to update their sites with the latest patched version of LeadConnector, which is version 1.8, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/197-bounty-awarded-for-unauthenticated-arbitrary-post-deletion-vulnerability-patched-in-leadconnector-wordpress-plugin/

Posted in Vulnerability.