SQL Injection Vulnerability in Catalyst Connect Zoho CRM Client Portal Plugin for WordPress
CVE-2025-5017

4.9MEDIUM

What is CVE-2025-5017?

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is susceptible to a time-based SQL injection attack via the 'uid' parameter in all versions up to and including 2.2.0. This vulnerability arises from inadequate escaping of user-supplied parameters and insufficient preparation of the SQL query. Authenticated attackers with Administrator-level access can exploit this flaw to execute arbitrary SQL queries, potentially leading to unauthorized access and exposure of sensitive data stored in the database.

Affected Version(s)

Catalyst Connect Zoho CRM Client Portal 0 <= 2.2.0

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

siyuan shao
.