CVE-2025-13092
Unknown Unknown - Not Provided
Unauthorized Data Access in Devs CRM WordPress Plugin

Publication date: 2025-12-13

Last updated on: 2025-12-13

Assigner: Wordfence

Description
The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-13
Last Modified
2025-12-13
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13092
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress wordpress *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Devs CRM WordPress plugin (up to version 1.1.8) where a missing capability check on the /wp-json/devs-crm/v1/attendances REST API endpoint allows unauthenticated attackers to access private user data, including password hashes.

Impact Analysis

An attacker can exploit this vulnerability to retrieve private user data without authentication, potentially exposing sensitive information such as password hashes. This could lead to unauthorized access to user accounts or further attacks.

Detection Guidance

You can detect this vulnerability by attempting to access the /wp-json/devs-crm/v1/attendances REST API endpoint without authentication and checking if private user data, including password hashes, is returned. For example, you can use the following command to test this via curl: curl -X GET https://your-wordpress-site.com/wp-json/devs-crm/v1/attendances If the response contains sensitive user data without requiring authentication, your system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include disabling or uninstalling the Devs CRM plugin version 1.1.8 or earlier until a patched version is released. Since the plugin was closed and temporarily unavailable as of December 11, 2025, you should remove it from your WordPress installation to prevent unauthorized data access. Additionally, monitor for updates from the plugin developer or WordPress security advisories to apply a fix once available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart