CVE-2025-10746 is a security vulnerability identified in the Integrate Dynamics 365 CRM plugin for WordPress, developed by cyberlord92. This vulnerability affects all versions up to and including version 1.0.9. The root cause is the absence of proper authentication mechanisms, specifically missing capability checks and nonce verification on functions hooked to the WordPress 'init' action. This flaw allows unauthenticated attackers to invoke critical plugin functions without any access control. Exploitation can lead to unauthorized deactivation of the plugin, manipulation of OAuth configuration settings, and triggering of test connection routines that may leak sensitive data. The vulnerability is classified under CWE-306, which pertains to missing authentication for critical functions. The CVSS v3.1 base score is 6.5 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and impacts on confidentiality and integrity but not availability (C:L/I:L/A:N). No known exploits are currently reported in the wild, and no patches have been published at the time of this report. The vulnerability's exploitation requires crafting specific malicious HTTP requests targeting vulnerable endpoints exposed by the plugin, which is commonly used to integrate Microsoft Dynamics 365 CRM with WordPress sites. Given the plugin's role in handling OAuth configurations and CRM data, successful exploitation could compromise sensitive business information and disrupt CRM integration workflows.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites integrated with Microsoft Dynamics 365 CRM via the affected plugin. Unauthorized deactivation of the plugin could disrupt business-critical CRM workflows, impacting sales, customer service, and operational processes. Tampering with OAuth configurations could allow attackers to intercept or manipulate authentication tokens, potentially leading to unauthorized access to CRM data or other connected services. Exposure of sensitive data through test connection endpoints could result in leakage of confidential customer or business information, violating data protection regulations such as the GDPR. The medium CVSS score reflects moderate risk, but the lack of required privileges and user interaction increases the likelihood of exploitation. European organizations with public-facing WordPress sites using this plugin are particularly vulnerable, as the attack can be launched remotely over the network without authentication. The potential impact on confidentiality and integrity of CRM data can lead to reputational damage, regulatory penalties, and operational disruptions.

1. Immediate mitigation should involve disabling or uninstalling the vulnerable Integrate Dynamics 365 CRM plugin until a secure patched version is released. 2. Monitor WordPress sites for unusual HTTP requests targeting the plugin's endpoints, especially those invoking 'init' hooked functions, to detect potential exploitation attempts. 3. Implement Web Application Firewall (WAF) rules to block unauthorized access to plugin-specific URLs and parameters that could be used to exploit this vulnerability. 4. Restrict access to WordPress admin and plugin endpoints using IP whitelisting or VPN access where feasible to reduce exposure. 5. Enforce strict OAuth token management policies and audit OAuth configurations regularly to detect unauthorized changes. 6. Once a patch is available, promptly apply it and verify that nonce verification and capability checks are properly enforced. 7. Conduct security reviews of other WordPress plugins to ensure similar missing authentication issues are not present. 8. Educate site administrators on the risks of installing unverified plugins and the importance of timely updates.