CVE-2025-5483 HIGH

CVE-2025-5483: LC Wizard 1.2.10 - 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation

Vendor Niaj
Product Connector Wizard (formerly LC Wizard)
Weakness CWE-862 · Missing authorization
Published November 7, 2025
Last update November 7, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. This makes it possible for unauthenticated attackers to create new user accounts with the administrator role when the PRO functionality is enabled.

Explanation of Vulnerability in Simple Terms

02Summary

Connector Wizard versions 1.2.10 through 1.3.0 lack proper authorization checks, allowing unauthenticated attackers to perform sensitive actions on the site. An attacker can read, modify, or delete data without needing valid credentials. The vulnerability requires specific network conditions to exploit but poses a severe risk to site integrity and confidentiality.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete site data without authentication.

Potential impact on your site

04Site Impact

Unauthorized users can access and alter sensitive information, compromise site integrity, and disrupt availability.

Conditions required to exploit

05Prerequisites

Network access to the site; specific attack complexity conditions must be met.

Key dates

06Disclosure timeline

November 7, 2025 CVE published
November 7, 2025 Record updated