Skip to main content

CVE-2025-5692: CWE-862 Missing Authorization in smackcoders Lead Form Data Collection to CRM

High
VulnerabilityCVE-2025-5692cvecve-2025-5692cwe-862
Published: Wed Jul 02 2025 (07/02/2025, 02:03:53 UTC)
Source: CVE Database V5
Vendor/Project: smackcoders
Product: Lead Form Data Collection to CRM

Description

The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable.

AI-Powered Analysis

AILast updated: 07/02/2025, 02:54:31 UTC

Technical Analysis

CVE-2025-5692 is a high-severity vulnerability affecting the WordPress plugin 'Lead Form Data Collection to CRM' developed by smackcoders. The vulnerability stems from a missing authorization check (CWE-862) in the doFieldAjaxAction() function, which is responsible for handling AJAX requests related to form data collection and plugin settings. This flaw exists in all versions up to and including 3.1 of the plugin. Because the plugin fails to verify user capabilities properly, any authenticated user with at least Subscriber-level access can exploit this vulnerability to modify arbitrary WordPress options. Critically, this includes the ability to change the default user role assigned upon registration to 'administrator' and enable user registration. Consequently, an attacker can create new administrative accounts without requiring higher privileges or user interaction. Additionally, other AJAX actions related to plugin settings are also insufficiently protected, broadening the attack surface. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high impact with network attack vector, low attack complexity, privileges required at a low level, no user interaction needed, and full confidentiality, integrity, and availability impact. Although no known exploits are currently reported in the wild, the ease of exploitation and potential for privilege escalation make this a critical risk for affected WordPress sites using this plugin. The vulnerability allows attackers to escalate privileges from Subscriber to Administrator, effectively compromising the entire site and potentially enabling further malicious activities such as data theft, site defacement, or deployment of malware.

Potential Impact

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress websites integrated with the 'Lead Form Data Collection to CRM' plugin. The ability for low-privileged authenticated users to escalate privileges to administrator level can lead to full site compromise. This can result in unauthorized access to sensitive customer data collected via lead forms, violation of GDPR and other data protection regulations, reputational damage, and potential financial penalties. Organizations in sectors such as e-commerce, finance, healthcare, and public services, which often use WordPress for customer engagement and lead management, are particularly vulnerable. The compromise of administrative accounts can also facilitate further attacks within the organization's network if the WordPress site is connected to internal systems. Given the plugin’s widespread use in Europe, the vulnerability could be exploited to target organizations with large customer databases, undermining trust and operational continuity.

Mitigation Recommendations

Immediate mitigation steps include updating the 'Lead Form Data Collection to CRM' plugin to a patched version once released by smackcoders. Until a patch is available, organizations should restrict access to the WordPress backend, limiting Subscriber-level accounts and reviewing user roles to ensure minimal privileges. Implementing Web Application Firewalls (WAF) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable functions can reduce risk. Additionally, disabling user registration temporarily or enforcing strong validation and CAPTCHA on registration forms can prevent unauthorized account creation. Regularly auditing WordPress user accounts for unexpected administrator additions and monitoring logs for anomalous AJAX activity is critical. Organizations should also consider isolating the WordPress environment from sensitive internal networks to limit lateral movement in case of compromise. Finally, educating site administrators about the risks and signs of exploitation will enhance early detection and response.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-06-04T20:04:29.128Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68649be16f40f0eb729133b2

Added to database: 7/2/2025, 2:39:29 AM

Last enriched: 7/2/2025, 2:54:31 AM

Last updated: 7/4/2025, 5:32:49 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats