The vulnerability identified as CVE-2025-13092 affects the ajitdas Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress, versions up to 1.1.8. The root cause is a missing authorization check (CWE-862) on the REST API endpoint /wp-json/devs-crm/v1/attendances. This endpoint is designed to provide attendance data but fails to verify whether the requester has the appropriate permissions or is authenticated. As a result, unauthenticated attackers can send requests to this endpoint and retrieve private user data, including sensitive information such as password hashes. The vulnerability is remotely exploitable without any user interaction or authentication, making it accessible to any attacker with network access to the WordPress site. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the ease of exploitation (network, no privileges required) but limited impact to confidentiality only, with no impact on integrity or availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability poses a significant risk because password hashes can be used in offline cracking attempts, potentially leading to account compromise if weak passwords are used. This issue highlights the importance of implementing proper capability checks on all REST API endpoints in WordPress plugins to prevent unauthorized data exposure.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive user data, including password hashes, which compromises confidentiality. Attackers can leverage this information to perform offline password cracking, potentially gaining access to user accounts and escalating privileges within the affected WordPress site. This can lead to further exploitation such as data theft, site defacement, or use of the compromised site as a launchpad for additional attacks. Although integrity and availability are not directly affected, the breach of confidentiality can undermine trust in the affected organization and lead to reputational damage, regulatory penalties, and financial loss. Organizations using the ajitdas Devs CRM plugin are at risk of data breaches, especially if they have not applied mitigations or updates. The vulnerability’s ease of exploitation and lack of authentication requirements increase the likelihood of opportunistic attacks, particularly on publicly accessible WordPress sites.

1. Immediate mitigation should include disabling or restricting access to the vulnerable REST API endpoint (/wp-json/devs-crm/v1/attendances) via web server configuration or firewall rules to prevent unauthenticated access. 2. Monitor web server logs for suspicious requests targeting this endpoint to detect potential exploitation attempts. 3. If possible, update the plugin to a version that includes the authorization check once released by the vendor; if no update is available, consider temporarily replacing the plugin with alternative solutions. 4. Implement Web Application Firewall (WAF) rules to block unauthorized access to the plugin’s REST API endpoints. 5. Enforce strong password policies and encourage users to change passwords to mitigate risks from exposed password hashes. 6. Conduct a thorough audit of user accounts and credentials for signs of compromise. 7. Follow secure development practices by ensuring all REST API endpoints enforce proper capability checks and authentication before exposing sensitive data. 8. Engage with the plugin vendor or community to track the release of patches and security advisories.