CVE-2025-5483: 
WordPress vulnerability analysis and mitigation

The LC Wizard plugin for WordPress (versions 1.2.10 to 1.3.0) contains a privilege escalation vulnerability identified as CVE-2025-5483. The vulnerability stems from a missing capability check in the ghl-wizard/inc/wp_user.php file, which allows unauthenticated attackers to create new user accounts with administrator privileges when the PRO functionality is enabled. This vulnerability was discovered and reported by researcher kr0d, with public disclosure on November 6, 2025 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-862 (Missing Authorization) and specifically affects the user management functionality in the plugin. The vulnerability exists due to improper authorization controls in the wp_user.php file, allowing unauthorized access to administrative functions (Wordfence).

The vulnerability allows unauthenticated attackers to create administrator accounts on affected WordPress installations. This level of access could lead to complete site compromise, as administrator accounts have full control over the WordPress installation, including the ability to modify site content, install or remove plugins and themes, and access sensitive information (NVD).

The vulnerability has been addressed in version 1.4.0 of the plugin, which has been rebranded as Connector Wizard. Users are advised to update to this latest version immediately. The update includes security improvements and addresses the authorization bypass issue (WordPress Plugin).