CVE-2025-14854 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WP-CRM System plugin for WordPress, specifically versions up to 3.4.5. The vulnerability arises because the plugin's AJAX functions wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status do not perform proper capability checks before processing requests. This security oversight allows any authenticated user with subscriber-level privileges or higher to invoke these AJAX endpoints and enumerate email addresses stored in the CRM database, leading to unauthorized disclosure of personally identifiable information (PII). Additionally, attackers can modify the status of CRM tasks, compromising data integrity and potentially disrupting project management workflows. The vulnerability has a CVSS 3.1 base score of 5.4, indicating a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (authenticated user), no user interaction, and impacting confidentiality and integrity but not availability. No public exploits are known, and no patches have been officially released as of the publication date. The flaw is significant because WordPress is widely used, and the WP-CRM System plugin is popular among organizations managing client and project data, making the exposure of sensitive contact information and unauthorized task modifications a critical concern for data privacy and operational reliability.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of client contact information, which may include sensitive personal data protected under GDPR. Exposure of such PII can lead to regulatory penalties, reputational damage, and loss of client trust. Unauthorized modification of task statuses can disrupt business processes, causing project delays or mismanagement. Organizations relying on WP-CRM System for client management are particularly vulnerable, especially small to medium enterprises that may have limited security controls. Since exploitation requires only subscriber-level authentication, attackers could leverage compromised or weak user accounts to exploit the flaw. The impact extends to compliance risks, operational disruptions, and potential data breaches, all of which are critical concerns for European entities handling personal and business data.

Until an official patch is released, European organizations should implement strict access controls on WordPress user roles, limiting subscriber-level accounts and auditing existing users for unnecessary privileges. Employing Web Application Firewalls (WAFs) to monitor and block suspicious AJAX requests targeting wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status endpoints can reduce exploitation risk. Regularly review and harden WordPress security configurations, including disabling unused plugins and enforcing strong authentication mechanisms such as multi-factor authentication (MFA). Organizations should monitor logs for unusual activity related to CRM data access and task status changes. Once a vendor patch becomes available, prioritize its deployment. Additionally, consider isolating the CRM plugin environment or using role-based access control plugins to enforce stricter authorization checks. Conduct security awareness training for users to prevent credential compromise that could facilitate exploitation.