Introduction
Attackers can gain full administrative control over WordPress sites running specific versions of the LC Wizard (Connector Wizard) plugin, simply by sending unauthenticated HTTP requests when PRO features are enabled. This vulnerability exposes affected sites to immediate takeover and persistent compromise, especially for organizations relying on WordPress as a business platform.
LC Wizard (now Connector Wizard) is a WordPress plugin designed to integrate WordPress with the HighLevel/LeadConnector CRM. While not as widely recognized as core WordPress components, it serves a niche but important role for agencies and businesses leveraging CRM-driven workflows. The plugin is distributed via the official WordPress.org repository and has a history of recurring security issues, making its vulnerabilities particularly relevant for security teams managing CRM-integrated WordPress deployments.
Technical Information
CVE-2025-5483 is a privilege escalation vulnerability classified under CWE-862 (Missing Authorization). The root cause is a missing capability check in the ghl-wizard/inc/wp_user.php file. When the plugin's PRO functionality is enabled, it exposes an endpoint that allows user account creation without verifying the requester's permissions. As a result, unauthenticated attackers can craft HTTP requests to this endpoint, specifying parameters that result in the creation of new WordPress administrator accounts.
No authentication or prior access is required. The attack complexity is low: any actor with network access to the target site can exploit the flaw using basic HTTP tools. The vulnerability is confirmed in public advisories, but no public code snippet is available for the affected logic. The flaw only manifests when PRO features are enabled, which is a configuration-dependent risk factor.
Affected Systems and Versions
- Product: LC Wizard (Connector Wizard) WordPress plugin
- Vulnerable versions: 1.2.10 through 1.3.0
- Vulnerability is only present when PRO functionality is enabled
Vendor Security History
The LC Wizard/Connector Wizard plugin has a documented history of security vulnerabilities:
- CVE-2025-58237: Stored Cross-Site Scripting in versions through 1.4.1 (requires contributor access)
- Multiple input validation and authorization issues in recent versions
- Security updates have been released for previous vulnerabilities, but recurring issues suggest ongoing challenges with secure development practices
