CVE-2025-13092
Unknown Unknown - Not Provided
Unauthorized Data Access in Devs CRM WordPress Plugin

Publication date: 2025-12-13

Last updated on: 2025-12-13

Assigner: Wordfence

Description
The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-13
Last Modified
2025-12-13
Generated
2026-05-07
AI Q&A
2025-12-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-13092
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress wordpress *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Devs CRM WordPress plugin (up to version 1.1.8) where a missing capability check on the /wp-json/devs-crm/v1/attendances REST API endpoint allows unauthenticated attackers to access private user data, including password hashes.


How can this vulnerability impact me? :

An attacker can exploit this vulnerability to retrieve private user data without authentication, potentially exposing sensitive information such as password hashes. This could lead to unauthorized access to user accounts or further attacks.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by attempting to access the /wp-json/devs-crm/v1/attendances REST API endpoint without authentication and checking if private user data, including password hashes, is returned. For example, you can use the following command to test this via curl: curl -X GET https://your-wordpress-site.com/wp-json/devs-crm/v1/attendances If the response contains sensitive user data without requiring authentication, your system is vulnerable.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling or uninstalling the Devs CRM plugin version 1.1.8 or earlier until a patched version is released. Since the plugin was closed and temporarily unavailable as of December 11, 2025, you should remove it from your WordPress installation to prevent unauthorized data access. Additionally, monitor for updates from the plugin developer or WordPress security advisories to apply a fix once available. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart