6.3

CVE-2025-5692

EPSS 0.04%
Veröffentlicht 02.07.2025 02:03:53
Zuletzt bearbeitet 30.09.2025 18:12:42
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Lead Form Data Collection to CRM <= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions

The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.

Mögliche Gegenmaßnahme

Lead Form Data Collection to CRM: Update to version 3.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Lead Form Data Collection to CRM

Version *-3.1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Smackcoders ≫ Lead Form Data Collection To Crm SwPlatformwordpress Version < 3.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.134

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security@wordfence.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/26404b5c-a0f2-4223-be61-1f03873666fb?source=cve

Third Party Advisory

https://plugins.trac.wordpress.org/browser/wp-leads-builder-any-crm/trunk/includes/Functions.php#L423

Product

https://wordpress.org/plugins/wp-leads-builder-any-crm/

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3319750%40wp-leads-builder-any-crm&new=3319750%40wp-leads-builder-any-crm&sfp_email=&sfph_mail=

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/26404b5c-a0f2-4223-be61-1f03873666fb

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-5692

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-5692

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-5692

EUVD