CVE-2025-14854 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WP-CRM System plugin for WordPress, which is widely used for managing clients and projects. The issue stems from missing capability checks on two AJAX functions: wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status. These functions are accessible to authenticated users with subscriber-level privileges or higher, which should normally have limited access. Due to the lack of proper authorization validation, attackers can enumerate email addresses stored in the CRM, exposing personally identifiable information (PII). Additionally, they can modify the status of CRM tasks, potentially disrupting project management workflows or causing data integrity issues. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 5.4, indicating a medium severity level, with low attack complexity (AC:L) and no impact on availability (A:N). No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability affects all plugin versions up to and including 3.4.5. This flaw poses a risk to organizations relying on this plugin for client data management, especially where subscriber-level accounts are common or where internal users may have limited trust.

For European organizations, the impact includes unauthorized disclosure of client email addresses, which constitutes a breach of confidentiality and may violate GDPR regulations, leading to potential legal and financial penalties. The ability to modify task statuses without authorization can undermine data integrity and disrupt project management processes, potentially affecting service delivery and operational efficiency. Organizations in sectors such as professional services, consulting, and SMEs that rely on WP-CRM System for client relationship management are particularly at risk. The exposure of PII can damage customer trust and brand reputation. Since the vulnerability requires only subscriber-level authentication, it increases the attack surface, especially in environments where user account management is lax or where external users may have subscriber access. The absence of known exploits currently reduces immediate risk but does not eliminate the threat of future exploitation. Overall, the vulnerability poses a moderate risk to confidentiality and integrity, with no direct impact on availability.

Organizations should immediately audit user roles and permissions within their WordPress installations to ensure that subscriber-level accounts are tightly controlled and assigned only to trusted users. Restricting subscriber-level access or disabling unnecessary accounts can reduce exposure. Monitoring and logging AJAX requests to the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status endpoints can help detect suspicious activity. Until an official patch is released, consider implementing Web Application Firewall (WAF) rules to block or restrict access to these AJAX functions for lower-privileged users. Additionally, organizations can employ custom code to enforce capability checks on these AJAX endpoints as a temporary workaround. Regularly update the WP-CRM System plugin once a patch becomes available and verify that the update addresses the missing authorization checks. Conduct security awareness training for administrators and users about the risks of privilege misuse. Finally, review and enhance overall WordPress security posture, including strong authentication mechanisms and least privilege principles.