CVE-2025-5692
📋 TL;DR
The Lead Form Data Collection to CRM WordPress plugin has a missing capability check vulnerability that allows authenticated attackers with Subscriber-level access or higher to perform unauthorized administrative actions like updating settings. This affects all versions up to and including 3.1. The vulnerability is in the LB_admin_ajax.php file.
💻 Affected Systems
- Lead Form Data Collection to CRM WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify plugin settings, potentially compromising form data collection, altering CRM integrations, or enabling further attacks through configuration changes.
Likely Case
Unauthorized users modify plugin settings, disrupt form functionality, or alter data collection workflows without proper authorization.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized setting changes that can be detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple AJAX requests. The vulnerability is well-documented with specific file references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.1
Vendor Advisory: https://wordpress.org/plugins/wp-leads-builder-any-crm/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Lead Form Data Collection to CRM'. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate wp-leads-builder-any-crm
Access Restriction
linuxRestrict access to /wp-admin/admin-ajax.php for non-administrators
# Add to .htaccess for Apache: RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$ RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_.*admin [NC] RewriteRule .* - [F,L]
🧯 If You Can't Patch
- Remove Subscriber and higher role access from untrusted users
- Implement web application firewall rules to block suspicious AJAX requests to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 3.1 or lower, system is vulnerable.Check Version:
wp plugin get wp-leads-builder-any-crm --field=versionVerify Fix Applied:
Verify plugin version is higher than 3.1. Test with Subscriber account that AJAX actions requiring admin capabilities fail.📡 Detection & Monitoring
Log Indicators:
- Multiple AJAX requests to /wp-admin/admin-ajax.php from non-admin users
- Plugin setting changes from low-privilege user accounts
- Unusual activity in LB_admin_ajax.php access logs
Network Indicators:
- POST requests to admin-ajax.php with action parameters related to the vulnerable plugin from non-admin IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND ("wp-leads-builder" OR "LB_admin_ajax") AND NOT user_role="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/wp-leads-builder-any-crm/trunk/includes/Functions.php#L423
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3319750%40wp-leads-builder-any-crm&new=3319750%40wp-leads-builder-any-crm&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/wp-leads-builder-any-crm/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/26404b5c-a0f2-4223-be61-1f03873666fb?source=cve
