CVE-2025-14854 is a missing authorization vulnerability (CWE-862) in the WP-CRM System plugin for WordPress, developed by nofearinc. The issue arises from the absence of proper capability checks in two AJAX functions: wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status. These functions are accessible to authenticated users with subscriber-level privileges or higher, allowing them to enumerate email addresses stored in the CRM database, thereby exposing personally identifiable information (PII). Additionally, attackers can modify the status of CRM tasks, potentially disrupting project management workflows or causing data integrity issues. The vulnerability affects all plugin versions up to 3.4.5, with no patches currently available. The attack vector is remote over the network (AV:N), requires low attack complexity (AC:L), and privileges at the level of an authenticated user (PR:L). No user interaction is required (UI:N), and the scope is unchanged (S:U). The impact on confidentiality and integrity is low to moderate, with no impact on availability. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights a common security oversight in WordPress plugins where insufficient authorization checks on AJAX endpoints can lead to unauthorized data access and modification.

The primary impact of this vulnerability is unauthorized disclosure of personally identifiable information (PII) through enumeration of CRM contact email addresses, which can lead to privacy violations and potential phishing or social engineering attacks. Additionally, unauthorized modification of CRM task statuses can disrupt business operations, cause confusion in project management, and potentially lead to incorrect task prioritization or completion tracking. Organizations relying on WP-CRM System for client and project management risk data leakage and operational disruption. While the vulnerability requires authenticated access, subscriber-level accounts are commonly available or can be created on many WordPress sites, increasing the attack surface. The lack of availability impact limits the severity, but the integrity and confidentiality impacts are significant enough to warrant prompt remediation. This vulnerability could be exploited by insider threats or external attackers who gain low-level access, making it a concern for organizations handling sensitive client data or managing critical projects via this plugin.

To mitigate this vulnerability, organizations should immediately restrict subscriber-level user capabilities to the minimum necessary, potentially disabling or limiting access to the WP-CRM System plugin for low-privilege users. Implementing strict role-based access controls (RBAC) within WordPress can reduce the risk of exploitation. Monitoring and logging AJAX requests to the affected endpoints can help detect suspicious activity. Since no official patch is currently available, consider temporarily disabling the plugin or replacing it with an alternative CRM solution that enforces proper authorization. Additionally, web application firewalls (WAFs) can be configured to block unauthorized AJAX requests targeting these functions. Regularly review user accounts to remove or disable unnecessary subscriber-level accounts. Once a patch is released, prioritize immediate installation. Finally, educate users and administrators about the risks of granting excessive permissions and the importance of plugin security hygiene.