CVE-2025-13092 identifies a missing authorization vulnerability (CWE-862) in the ajitdas Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress. The vulnerability exists in the REST API endpoint /wp-json/devs-crm/v1/attendances, which lacks proper capability checks, allowing unauthenticated attackers to retrieve sensitive user data, including password hashes. This issue affects all plugin versions up to and including 1.1.8. The vulnerability is remotely exploitable without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The CVSS score of 5.3 reflects a medium severity level primarily due to the confidentiality impact, while integrity and availability remain unaffected. Although no public exploits have been reported, the exposure of password hashes could facilitate offline cracking attempts, potentially leading to account compromise. The plugin is used to manage tasks, attendance, and teams, which suggests deployment in organizational environments where sensitive employee data is stored. The lack of authorization checks on a REST API endpoint is a common security oversight that can lead to data leakage. The vulnerability was published on December 13, 2025, and no patches or fixes have been linked yet, indicating that users must implement interim mitigations. The vulnerability was assigned by Wordfence and is tracked in the CVE database.

For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure, particularly of private user information and password hashes. Exposure of password hashes can lead to credential compromise through offline brute-force or dictionary attacks, potentially enabling attackers to escalate privileges or move laterally within networks. Organizations relying on the ajitdas Devs CRM plugin for managing employee attendance and team tasks may face privacy violations under GDPR, leading to regulatory penalties and reputational damage. The breach of sensitive employee data can also disrupt internal operations and erode trust. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely at scale, increasing the risk of widespread data leakage. The medium CVSS score reflects moderate impact, but the actual damage could be higher if attackers successfully crack password hashes. The absence of known exploits in the wild reduces immediate threat but does not eliminate future risk. European SMEs and enterprises using WordPress with this plugin are particularly vulnerable, especially those in sectors with strict data protection requirements such as finance, healthcare, and public administration.

Until an official patch is released, organizations should implement the following specific mitigations: 1) Restrict access to the vulnerable REST API endpoint by configuring web application firewalls (WAFs) or reverse proxies to block unauthenticated requests to /wp-json/devs-crm/v1/attendances. 2) Disable or remove the ajitdas Devs CRM plugin if it is not critical to business operations. 3) Enforce strong password policies and consider resetting passwords for users whose hashes may have been exposed. 4) Monitor web server and WordPress logs for unusual access patterns targeting the REST API endpoint. 5) Limit exposure of the WordPress REST API by disabling it for unauthenticated users where feasible, using plugins or custom code. 6) Conduct a thorough audit of user accounts and permissions within WordPress to ensure least privilege principles are applied. 7) Stay updated with vendor announcements and apply patches immediately once available. 8) Educate administrators about the risks of exposing sensitive endpoints without authorization checks. These targeted actions go beyond generic advice by focusing on the specific vulnerable endpoint and plugin context.