Unauthorized Data Modification in CRM Plugin for WordPress
CVE-2025-5692

8.8HIGH

Key Information:

Vendor: WordPress
Status: Lead Form Data Collection To Crm
Vendor: CVE Published:; 2 July 2025

What is CVE-2025-5692?

The Lead Form Data Collection to CRM plugin for WordPress is susceptible to unauthorized data modification. This occurs due to a missing capability check in the doFieldAjaxAction() function, affecting all versions up to and including 3.1. Authenticated attackers, with Subscriber-level privileges or higher, can exploit this vulnerability to alter settings within the WordPress site. They can manipulate critical options such as changing the default registration role to an administrator and enable user registration, potentially allowing attackers to gain administrative access to the vulnerable site. Other AJAX actions associated with plugin settings also lack sufficient protection, further increasing the risk.

Affected Version(s)

Lead Form Data Collection to CRM * <= 3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-leads-build...

https://wordpress.org/plugins/wp-leads-builder-any-crm/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 2, 2025
Vulnerability Reserved
Jun 4, 2025

Credit

Youcef Hamdani