The Integrate Dynamics 365 CRM plugin for WordPress, developed by cyberlord92, suffers from a critical missing authentication vulnerability (CWE-306) identified as CVE-2025-10746. This vulnerability affects all versions up to and including 1.0.9. The root cause is the absence of capability checks and nonce verification on functions hooked to the WordPress 'init' action, which is executed on every page load. This design flaw allows unauthenticated attackers to send crafted HTTP requests directly to vulnerable endpoints, bypassing any authentication or authorization mechanisms. Exploitation enables attackers to deactivate the plugin, tamper with OAuth configurations used for authenticating and authorizing Dynamics 365 CRM connections, and trigger test connection functions that may expose sensitive information. The vulnerability does not require any user interaction or prior authentication, making it remotely exploitable over the network with low attack complexity. The CVSS v3.1 base score is 6.5, indicating a medium severity level with impacts on confidentiality and integrity but no effect on availability. No patches or official fixes have been released at the time of this report, and no known exploits have been observed in the wild. The vulnerability is significant because it compromises the security of CRM integration, potentially exposing sensitive business data and disrupting CRM workflows. Organizations relying on this plugin for Dynamics 365 integration should consider immediate mitigation steps to prevent unauthorized access and data leakage.

The vulnerability allows unauthenticated remote attackers to perform unauthorized actions including deactivating the plugin, modifying OAuth configurations, and triggering test connections that may leak sensitive data. This can lead to exposure of confidential CRM data, disruption of business processes relying on Dynamics 365 integration, and potential escalation of further attacks leveraging compromised OAuth credentials. The integrity of CRM configuration and data is at risk, which can undermine trust in business-critical applications. Although availability is not directly impacted, the ability to disable the plugin could indirectly affect business operations. Organizations worldwide using this plugin in their WordPress environments for Dynamics 365 integration face risks of data breaches, unauthorized access, and operational disruption. The medium CVSS score reflects moderate severity but the ease of exploitation and lack of authentication requirements increase the urgency of addressing this vulnerability.

1. Immediately update the Integrate Dynamics 365 CRM plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict access to WordPress admin endpoints by IP whitelisting or web application firewall (WAF) rules to block unauthorized requests targeting the plugin's vulnerable functions. 3. Implement additional authentication and nonce verification on all plugin functions hooked to 'init' to ensure capability checks are enforced. 4. Monitor web server logs for suspicious requests containing parameters targeting the plugin's endpoints and investigate any anomalies. 5. Review and rotate OAuth credentials used by the plugin to mitigate risks from potential configuration tampering. 6. Employ network segmentation and least privilege principles to limit exposure of WordPress servers integrating Dynamics 365 CRM. 7. Educate administrators on the risks of unauthorized plugin deactivation and configuration changes. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection tools to detect exploitation attempts in real time.