If exploited, an attacker can silently overwrite lead and contact data stored by the LeadConnector plugin, corrupting CRM pipelines and marketing records without leaving an obvious trace. For businesses that depend on lead generation or CRM integrations through their WordPress site, this can mean lost sales opportunities, inaccurate customer records, and erosion of trust with downstream CRM platforms. CISA's active-exploitation designation means the risk is not theoretical — organizations that delay patching face a higher likelihood of real data loss or operational disruption.
You Are Affected If
You run the LeadConnector WordPress plugin version 3.0.21 or earlier on any WordPress site
The affected WordPress site is publicly accessible from the internet
The /wp-json/ REST API is not blocked at the WAF or perimeter for unauthenticated external users
You have not yet upgraded LeadConnector to version 3.0.22 or later
Your WordPress site is integrated with a CRM or marketing platform via LeadConnector, increasing the impact of data manipulation
Board Talking Points
A confirmed, actively exploited flaw in a WordPress lead-generation plugin allows outsiders to overwrite customer and lead data on affected websites with no login required.
IT and security teams should upgrade the LeadConnector plugin to version 3.0.22 or later within 24 hours on all affected sites; sites that cannot be patched immediately should disable the plugin.
Organizations that do not act risk silent corruption of CRM and lead data, potential regulatory exposure if customer data is altered, and continued targeting given CISA's active-exploitation confirmation.
GDPR — LeadConnector stores and processes contact and lead data; unauthenticated data manipulation may constitute a personal data integrity breach requiring assessment under Article 33 notification obligations
CCPA — If the plugin processes California resident contact data, unauthorized data alteration may trigger breach notification assessment under California Civil Code 1798.82
