CVE-2025-13092 identifies a missing authorization vulnerability (CWE-862) in the ajitdas Devs CRM – Manage tasks, attendance and teams all together WordPress plugin. The vulnerability exists because the /wp-json/devs-crm/v1/attendances REST API endpoint does not perform any capability checks to verify if the requester is authorized to access the data. Consequently, unauthenticated attackers can query this endpoint and retrieve sensitive user information, including password hashes, without any authentication or user interaction. This plugin is designed to manage tasks, attendance, and teams, implying that the data exposed could include personally identifiable information and credentials. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges required, and no user interaction needed, but limited impact to confidentiality only, with no integrity or availability impact. No official patches or fixes have been released as of the publication date, and no known exploits have been reported in the wild. The vulnerability affects all versions up to and including 1.1.8, indicating that users of this plugin should consider their installations vulnerable until remediated. The lack of authorization checks is a critical security oversight that could facilitate data breaches and subsequent attacks such as credential reuse or social engineering.

For European organizations, the unauthorized exposure of private user data, including password hashes, poses significant risks. Confidentiality breaches can lead to identity theft, unauthorized access to internal systems, and lateral movement within networks if attackers leverage stolen credentials. Organizations relying on this plugin for managing employee attendance and team coordination may face operational disruptions if attackers exploit the data to impersonate users or escalate privileges. The exposure of password hashes, even if hashed, can be subjected to offline cracking attempts, especially if weak hashing algorithms are used. This vulnerability could also damage organizational reputation and lead to regulatory penalties under GDPR due to inadequate protection of personal data. The medium CVSS score suggests moderate urgency, but the ease of exploitation and sensitive nature of the data elevate the practical risk. Attackers targeting European entities with WordPress-based CRM solutions are likely to exploit this vulnerability to gain footholds or harvest credentials for broader campaigns.

Since no official patches are currently available, European organizations should implement immediate compensating controls. First, restrict access to the /wp-json/devs-crm/v1/attendances REST API endpoint by configuring web application firewalls (WAFs) or reverse proxies to block unauthenticated requests to this path. Secondly, apply strict access controls on the WordPress installation, limiting plugin usage to trusted administrators and disabling or removing the plugin if not essential. Monitor web server and application logs for unusual requests targeting the vulnerable endpoint to detect potential exploitation attempts. Encourage users to change passwords and enforce strong password policies to mitigate risks from exposed password hashes. Once a patch is released, promptly update the plugin to the fixed version. Additionally, consider implementing multi-factor authentication (MFA) for WordPress admin accounts to reduce the impact of compromised credentials. Regularly audit installed plugins for vulnerabilities and maintain an inventory to quickly respond to emerging threats.