CVE-2025-13093 is a vulnerability identified in the ajitdas Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress, affecting all versions up to and including 1.1.8. The vulnerability arises from a missing authorization check (CWE-862) on the REST API endpoint '/wp-json/devs-crm/v1/bulk-update'. This endpoint allows bulk updates to lead tags within the CRM system. Because the plugin fails to verify whether the requester has the necessary permissions, unauthenticated attackers can send crafted HTTP requests to modify lead tags arbitrarily. The vulnerability does not impact confidentiality or availability but compromises data integrity by allowing unauthorized data modification. The CVSS 3.1 base score is 5.3 (medium), reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), integrity impact (I:L), and no availability impact (A:N). No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The issue is particularly relevant for organizations relying on this WordPress plugin for CRM functions, as unauthorized data changes could disrupt business processes and data accuracy.

The primary impact of CVE-2025-13093 is unauthorized modification of CRM data, specifically lead tags, which can undermine the integrity of customer and sales data. This can lead to misclassification of leads, incorrect reporting, and potential disruption of marketing or sales workflows dependent on accurate tagging. While confidentiality and availability are not directly affected, data integrity issues can cause operational inefficiencies and loss of trust in CRM data. For organizations that rely heavily on this plugin for managing tasks, attendance, and teams, such unauthorized changes could cascade into broader business process errors. The ease of exploitation (no authentication or user interaction required) increases the risk of automated or opportunistic attacks, especially on publicly accessible WordPress sites. Although no known exploits are reported in the wild, the vulnerability presents a moderate risk that could be leveraged by attackers to manipulate CRM data for fraud, misinformation, or sabotage.

To mitigate CVE-2025-13093, organizations should immediately update the ajitdas Devs CRM plugin to a version that includes proper authorization checks once available. In the absence of an official patch, administrators should restrict access to the REST API endpoint '/wp-json/devs-crm/v1/bulk-update' using web application firewalls (WAFs) or server-level access controls to allow only trusted IP addresses or authenticated users. Implementing strict authentication and authorization mechanisms for REST API endpoints is critical. Monitoring and logging API requests for unusual activity can help detect exploitation attempts. Additionally, organizations should review and validate CRM data integrity regularly to identify unauthorized modifications. Disabling or removing the plugin if it is not essential can also reduce exposure. Finally, maintaining up-to-date backups of CRM data ensures recovery in case of data tampering.