CVE-2025-5692 identifies a missing authorization vulnerability (CWE-862) in the 'Lead Form Data Collection to CRM' WordPress plugin developed by smackcoders. The issue exists in all versions up to and including 3.1, specifically within the ~/includes/LB_admin_ajax.php file where several AJAX functions lack proper capability checks. This omission allows any authenticated user with Subscriber-level access or above to invoke these AJAX endpoints and perform unauthorized actions, such as modifying plugin settings. The vulnerability is exploitable remotely without user interaction and requires only low privileges, which are commonly granted to registered users on WordPress sites. The CVSS 3.1 base score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, and partial impact on confidentiality, integrity, and availability. This vulnerability is separate from CVE-2025-47690, which concerns arbitrary option updates via the doFieldAjaxAction() function. No patches have been linked yet, and no known exploits are reported in the wild. The flaw could be leveraged for privilege escalation or to disrupt CRM data collection processes by altering plugin configurations.

The vulnerability allows authenticated users with minimal privileges (Subscriber-level) to perform unauthorized actions within the plugin, potentially leading to unauthorized changes in CRM data collection settings. This can result in data integrity issues, unauthorized data exposure, or denial of service if settings are manipulated to disrupt normal operations. Organizations relying on this plugin for lead data collection risk compromised data accuracy and potential leakage of sensitive customer information. Attackers could also use this flaw as a stepping stone for further privilege escalation or lateral movement within the WordPress environment. Although the impact is limited to sites using this specific plugin, the widespread use of WordPress and CRM integrations means many organizations worldwide could be affected. The absence of known exploits reduces immediate risk, but the ease of exploitation and low privilege requirement make it a significant concern.

Organizations should immediately audit their WordPress installations for the presence of the 'Lead Form Data Collection to CRM' plugin and verify the version in use. Until an official patch is released, administrators should restrict plugin access strictly to trusted users and consider temporarily disabling the plugin if feasible. Implementing Web Application Firewall (WAF) rules to block unauthorized AJAX requests targeting LB_admin_ajax.php endpoints can reduce exposure. Monitoring logs for suspicious AJAX activity from low-privilege accounts is recommended. Additionally, site administrators should review user roles and permissions to ensure minimal privilege assignment, limiting Subscriber-level users' capabilities where possible. Once a patch is available, prompt updating to the fixed version is critical. Employing security plugins that enforce capability checks or custom code to add authorization validation to the vulnerable functions can serve as interim controls.