CVE-2025-13361
CSRF in Web to SugarCRM Lead Plugin Allows Custom Field Deletion
Publication date: 2025-12-21
Last updated on: 2025-12-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | web-to-sugarcrm-lead | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Web to SugarCRM Lead plugin for WordPress is a Cross-Site Request Forgery (CSRF) issue affecting versions up to and including 1.0.0. It occurs because the plugin's custom field deletion functionality lacks nonce validation, which is a security token used to verify legitimate requests. This flaw allows an unauthenticated attacker to trick a site administrator into performing unwanted actions, such as deleting custom fields, by sending a forged request that the administrator unknowingly executes. The vulnerability was addressed by adding nonce verification to AJAX requests, ensuring that only authorized users can perform sensitive operations. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to delete custom fields in the Web to SugarCRM Lead plugin without proper authorization. Since the attack relies on tricking an administrator into executing a forged request, it can lead to loss or manipulation of important lead data fields within your WordPress site integrated with SugarCRM. This could disrupt lead management processes and potentially cause data integrity issues. However, the vulnerability does not allow data disclosure or system takeover, but it does pose a risk to the integrity of your lead data configuration. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX POST requests to the WordPress backend that perform custom field deletion actions without proper nonce verification. Specifically, look for AJAX requests with the action parameter related to deleting custom fields (e.g., 'WPSCL_Custom_Field_Delete') that lack a valid 'wpscl_nonce' token. On the server, you can check web server logs or use tools like curl or wget to simulate requests missing the nonce to see if they are accepted. For example, you can use curl to attempt a POST request to the AJAX endpoint without the nonce and observe if the request is processed. Additionally, inspecting the plugin version installed (versions up to and including 1.0.0 are vulnerable) can help identify if the system is at risk. [1, 2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the 'web-to-sugarcrm-lead' WordPress plugin to a version that includes nonce verification (post version 1.0.0) as implemented in changeset 3423497. This update adds nonce tokens to AJAX requests, preventing unauthorized actions such as custom field deletion. If updating is not immediately possible, restrict access to the WordPress admin area to trusted users only, and consider implementing additional security measures such as web application firewalls to block suspicious AJAX requests. Also, ensure that administrators are cautious about clicking on unknown links that could trigger forged requests. [1]