CVE-2025-67468 is a vulnerability identified in the CRM Perks Integration plugin that connects Salesforce CRM with several widely used WordPress form plugins: Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms. The root cause is missing authorization controls within the integration, which leads to incorrect access control enforcement. Specifically, users with limited privileges (PR:L) can exploit this flaw to perform unauthorized actions that should be restricted, such as modifying integration settings or manipulating data flows between WordPress forms and Salesforce. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 4.3, reflecting a medium severity level primarily due to its impact on data integrity without affecting confidentiality or availability. The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component and does not extend to other components or systems. No public exploits have been reported yet, but the risk remains significant for organizations relying on these integrations for CRM data collection and processing. The affected versions are all versions up to and including 1.4.6, with no specific earliest version identified. The vulnerability was published on December 9, 2025, by Patchstack. Due to the widespread use of these WordPress plugins and Salesforce in business environments, the vulnerability could be leveraged to alter CRM data or form submission processes, potentially leading to data integrity issues or business process disruptions.

For European organizations, this vulnerability poses a risk to the integrity of CRM data and form submission workflows. Unauthorized users with limited privileges could manipulate data sent to Salesforce or alter integration configurations, potentially causing inaccurate customer data, erroneous sales records, or disruption of automated business processes. This could undermine decision-making, customer relationship management, and compliance with data governance policies. While confidentiality and availability are not directly impacted, the integrity compromise could lead to financial losses, reputational damage, and regulatory scrutiny, especially under GDPR where data accuracy is critical. Organizations heavily reliant on Salesforce integrated with WordPress forms are particularly vulnerable. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

Organizations should immediately audit their use of the CRM Perks Integration plugin and identify if they are running affected versions (<=1.4.6). Until a patch is released, restrict access to the integration’s administrative interfaces to trusted users only and enforce the principle of least privilege rigorously. Review and tighten user roles and permissions within WordPress and Salesforce to ensure no unnecessary privileges are granted. Monitor logs for unusual activities related to integration endpoints or form submissions. Implement web application firewalls (WAFs) with rules targeting suspicious access patterns to these plugins. Once a vendor patch or update is available, apply it promptly. Additionally, consider isolating or segmenting systems that handle CRM integration to limit potential lateral movement in case of exploitation. Regularly back up CRM and form data to enable recovery from potential integrity compromises.