The alexacrm Dataverse Integration plugin for WordPress, specifically versions 2.77 through 2.81, contains a critical vulnerability identified as CVE-2025-7695. This vulnerability is classified under CWE-862 (Missing Authorization) and affects the reset_password_link REST API endpoint. The endpoint accepts parameters such as id, email, or login to identify a user and then calls get_password_reset_key() to generate a password reset link. However, the endpoint only verifies that the caller is authenticated but fails to verify whether the caller is authorized to request a password reset for the targeted user account. Consequently, any authenticated user with at least Subscriber-level privileges can request password reset links for any user, including administrators. This flaw allows privilege escalation by enabling attackers to hijack administrator accounts without additional user interaction. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high severity, with attack vector as network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability poses a significant risk due to its straightforward exploitation path and the critical nature of the affected accounts. The vulnerability was publicly disclosed on July 24, 2025, and no official patches have been linked yet, emphasizing the need for immediate mitigation by affected organizations.

The impact of CVE-2025-7695 is severe for organizations using the alexacrm Dataverse Integration plugin on WordPress. Attackers with minimal privileges (Subscriber-level or higher) can escalate their privileges to administrator by generating password reset links for admin accounts, effectively hijacking these accounts. This can lead to full site compromise, including unauthorized access to sensitive data, modification or deletion of content, installation of backdoors or malware, and disruption of services. The breach of administrator accounts undermines the integrity and availability of the affected WordPress sites and can have cascading effects if the compromised site is part of a larger network or integrated with other systems. Organizations relying on this plugin for CRM or data integration are at risk of data breaches, loss of customer trust, regulatory penalties, and operational downtime. The ease of exploitation combined with the high privileges gained makes this vulnerability particularly dangerous.

1. Immediate mitigation involves restricting access to the reset_password_link endpoint by implementing additional authorization checks at the web server or application firewall level to ensure only authorized users can invoke it. 2. Disable or restrict the Dataverse Integration plugin temporarily if patching is not immediately available. 3. Monitor logs for unusual password reset requests, especially those targeting administrator accounts. 4. Enforce strong authentication mechanisms such as multi-factor authentication (MFA) for all administrator accounts to reduce the risk of account takeover. 5. Regularly audit user roles and permissions to ensure minimal necessary privileges are assigned. 6. Once available, promptly apply official patches or updates from alexacrm addressing this vulnerability. 7. Consider implementing rate limiting on password reset requests to prevent automated exploitation attempts. 8. Educate users and administrators about this vulnerability and encourage vigilance for suspicious activity. 9. Employ intrusion detection systems to alert on anomalous REST API calls related to password resets. 10. Review and harden other REST API endpoints to prevent similar missing authorization issues.