CVE-2025-13092
📋 TL;DR
The Devs CRM WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to access private user data through a REST API endpoint. This affects all WordPress sites using Devs CRM plugin versions 1.1.8 and earlier. Attackers can retrieve sensitive information including password hashes.
💻 Affected Systems
- Devs CRM – Manage tasks, attendance and teams all together WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of user accounts through password hash cracking, leading to unauthorized access, data theft, and potential privilege escalation within the WordPress site.
Likely Case
Unauthorized access to user data including names, email addresses, and password hashes, potentially enabling credential stuffing attacks against users who reuse passwords.
If Mitigated
Limited impact if strong password policies are enforced, password hashes are properly salted, and multi-factor authentication is implemented.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.9 or later
Vendor Advisory: https://wordpress.org/plugins/devs-crm/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Devs CRM plugin
4. Click 'Update Now' if update available
5. If no update available, deactivate and delete plugin until patch is released
🔧 Temporary Workarounds
Block vulnerable API endpoint
allAdd .htaccess rule to block access to the vulnerable REST API endpoint
# Add to .htaccess file in WordPress root directory
RewriteEngine On
RewriteRule ^wp-json/devs-crm/v1/attendances - [F,L]
Disable plugin
linuxTemporarily disable the Devs CRM plugin until patched
wp plugin deactivate devs-crm
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to /wp-json/devs-crm/v1/attendances endpoint
- Monitor access logs for suspicious requests to the vulnerable endpoint and implement IP blocking for malicious actors
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Devs CRM version. If version is 1.1.8 or earlier, system is vulnerable.Check Version:
wp plugin list --name=devs-crm --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.1.9 or later. Test API endpoint access by attempting unauthenticated GET request to /wp-json/devs-crm/v1/attendances - should return 403 or 404.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /wp-json/devs-crm/v1/attendances from unauthenticated users
- Multiple rapid requests to the endpoint from single IPs
Network Indicators:
- Unusual traffic patterns to WordPress REST API endpoints
- Requests to devs-crm endpoints without authentication headers
SIEM Query:
source="web_logs" AND uri_path="/wp-json/devs-crm/v1/attendances" AND http_method="GET" AND NOT user_agent CONTAINS "WordPress"