The CRM Memberships plugin for WordPress, versions up to and including 2.5, contains a missing capability check (CWE-862) in the 'ntzcrm_add_new_tag' function. This flaw enables unauthenticated attackers to create membership tags and alter CRM configuration settings without proper authorization. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact.

An attacker can create arbitrary membership tags and modify CRM configuration data without authentication, potentially leading to unauthorized changes in the CRM system's behavior or membership management. There is no direct impact on confidentiality or availability according to the CVSS vector. No known exploits are reported in the wild at this time.

No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict access to the plugin's functionality and monitor for suspicious activity related to membership tag creation. Avoid using affected versions in production environments if possible.