CVE-2025-10746
BaseFortify
Publication date: 2025-10-04
Last updated on: 2025-10-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | integrate_dynamics_365_crm | 1.0.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Integrate Dynamics 365 CRM plugin for WordPress exists because it lacks proper capability checks and nonce verification on functions hooked to 'init'. This allows unauthenticated attackers to deactivate the plugin, alter OAuth configuration, and trigger test connections that can expose sensitive data by sending specially crafted requests to vulnerable endpoints.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized attackers to deactivate the plugin, tamper with OAuth settings, and access sensitive data through crafted requests. This could lead to unauthorized access to your CRM integration, potential data exposure, and disruption of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Integrate Dynamics 365 CRM plugin for WordPress to a version later than 1.0.9 once available. Until then, restrict access to the plugin's endpoints and consider disabling the plugin if it is not essential. Monitor and block suspicious requests that attempt to deactivate the plugin or tamper with OAuth configurations.