CSRF and XSS Vulnerability in UCRM Client Signup Plugin by Ubiquiti
CVE-2025-24289

7.5HIGH

Key Information:

Vendor

Ubiquiti Inc

Status
Ucrm Client Signup Plugin
Vendor
CVE Published:
29 June 2025

What is CVE-2025-24289?

The UCRM Client Signup Plugin contains a Cross-Site Request Forgery (CSRF) vulnerability that can lead to Cross-Site Scripting (XSS). This flaw allows an attacker to potentially perform actions as an Administrator by tricking them into visiting a maliciously crafted webpage. As the plugin is disabled by default, users should be aware of this risk, particularly in scenarios where the plugin might be activated, making it imperative to ensure that proper security measures are in place.

Affected Version(s)

UCRM Client Signup Plugin 1.3.5

References

https://community.ui.com/releases/Security-Advisory-Bulle...

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-24289 : CSRF and XSS Vulnerability in UCRM Client Signup Plugin by Ubiquiti