LC Wizard 1.2.10 – 1.3.0 – Missing Authorization to Unauthenticated...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. This makes it possible for unauthenticated attackers to create new user accounts with the administrator role when the PRO functionality is enabled.

Basic Information

ID CVE-2025-5483

Source Wordfence

Published Nov 7, 2025 at 03:27

Affected Product

Vendor niaj

Product Connector Wizard (formerly LC Wizard)

Version 1.2.10

Affected Versions niaj Connector Wizard (formerly LC Wizard) 1.2.10

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. This makes it possible for unauthenticated attackers to create new user accounts with the administrator role when the PRO functionality is enabled.",
    "published": "2025-11-07T03:27:50.945Z",
    "modified": "2025-11-07T03:27:50.945Z",
    "type": "cve",
    "title": "LC Wizard 1.2.10 - 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42dcc302-b543-42c7-99fa-605f017beb1a?source=cve\nhttps://plugins.trac.wordpress.org/changeset/3366906",
    "id": "CVE-2025-5483",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "niaj Connector Wizard (formerly LC Wizard) 1.2.10",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Connector Wizard (formerly LC Wizard)",
    "version": "1.2.10",
    "vendor": "niaj",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

LC Wizard 1.2.10 – 1.3.0 – Missing Authorization to Unauthenticated Privilege Escalation_CVE-2025-5483