CVE-2025-13093
Unauthorized Data Modification in Devs CRM WordPress Plugin
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | devs_crm | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Devs CRM WordPress plugin, where a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint allows unauthenticated attackers to modify data. Specifically, attackers can update leads tags without proper authorization in all versions up to and including 1.1.8.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the Devs CRM plugin version 1.1.8 or earlier until a patched version is released, as the plugin was closed and temporarily unavailable for download as of December 11, 2025. Additionally, restrict access to the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint to authenticated and authorized users only, if possible, to prevent unauthorized data modification. [1]
How can this vulnerability impact me? :
The vulnerability allows unauthenticated attackers to modify lead tags in the CRM plugin, which could lead to unauthorized data manipulation. This can affect data integrity and potentially disrupt business processes that rely on accurate lead information.