CVE-2025-5692
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-09-30
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| smackcoders | lead_form_data_collection_to_crm | to 3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Lead Form Data Collection to CRM plugin for WordPress, where a missing capability check in the doFieldAjaxAction() function allows authenticated users with Subscriber-level access or higher to modify data they should not be able to. This enables attackers to update arbitrary options on the WordPress site, including changing the default user role to administrator and enabling user registration, which can lead to attackers gaining administrative access. Other AJAX actions related to plugin settings are also insufficiently protected and exploitable.
How can this vulnerability impact me? :
The vulnerability can lead to privilege escalation, allowing attackers with low-level access to gain administrative control over the WordPress site. This can result in unauthorized changes to site settings, creation of administrative users, and potentially full compromise of the website, impacting its integrity, availability, and confidentiality.