What the vulnerability does
01Description
The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. This makes it possible for unauthenticated attackers to create new user accounts with the administrator role when the PRO functionality is enabled.
Explanation of Vulnerability in Simple Terms
02Summary
Connector Wizard versions 1.2.10 through 1.3.0 lack proper authorization checks, allowing unauthenticated attackers to perform sensitive actions on the site. An attacker can read, modify, or delete data without needing valid credentials. The vulnerability requires specific network conditions to exploit but poses a severe risk to site integrity and confidentiality.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete site data without authentication.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter sensitive information, compromise site integrity, and disrupt availability.
Conditions required to exploit
05Prerequisites
Network access to the site; specific attack complexity conditions must be met.
Key dates
06Disclosure timeline
November 7, 2025
CVE published
November 7, 2025
Record updated