CVE-2025-14854
📋 TL;DR
The WP-CRM System WordPress plugin has missing capability checks on two AJAX functions, allowing authenticated users with subscriber-level access or higher to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. This affects all WordPress sites using WP-CRM System plugin versions up to and including 3.4.5.
💻 Affected Systems
- WP-CRM System WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest all CRM contact email addresses (sensitive PII) and disrupt business operations by arbitrarily changing task statuses, potentially causing data protection compliance violations and operational confusion.
Likely Case
Authenticated attackers (including low-privilege users) will enumerate email addresses from the CRM system and modify task statuses, leading to privacy violations and workflow disruption.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized data access and minor workflow manipulation by authenticated users.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via AJAX requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP-CRM System and click 'Update Now'. 4. Verify plugin version is 3.4.6 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints via .htaccess
linuxBlock access to the vulnerable AJAX functions by restricting wp-admin/admin-ajax.php requests containing specific parameters.
# Add to .htaccess in WordPress root directory
RewriteEngine On
RewriteCond %{QUERY_STRING} action=(wpcrm_get_email_recipients|wpcrm_system_ajax_task_change_status) [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
🧯 If You Can't Patch
- Remove or disable the WP-CRM System plugin entirely.
- Restrict user registration and review existing user accounts for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP-CRM System version. If version is 3.4.5 or lower, system is vulnerable.Check Version:
wp plugin list --name='WP-CRM System' --field=versionVerify Fix Applied:
After updating, confirm WP-CRM System plugin version is 3.4.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=wpcrm_get_email_recipients or action=wpcrm_system_ajax_task_change_status from low-privilege user accounts.
- Unusual task status changes in CRM logs from non-administrative users.
Network Indicators:
- HTTP POST requests to admin-ajax.php with vulnerable action parameters from authenticated sessions.
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND (query_string="*action=wpcrm_get_email_recipients*" OR query_string="*action=wpcrm_system_ajax_task_change_status*"))🔗 References
- https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-dashboard-task-list.php?marks=177-190#L177
- https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-functions.php?marks=942-975#L942
- https://www.wordfence.com/threat-intel/vulnerabilities/id/da607df4-1dbb-4b1e-ace6-b339cf9e8512?source=cve
