CVE-2026-0725
BaseFortify
Publication date: 2026-01-17
Last updated on: 2026-01-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | integrate_dynamics_365_crm | to 1.1.1 (inc) |
| unknown_vendor | integrate_dynamics_365_crm | 1.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Integrate Dynamics 365 CRM plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize and escape user-supplied input in the admin settings. This allows authenticated users with Administrator-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user accesses the affected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
This vulnerability can allow attackers with administrator privileges to inject arbitrary web scripts that execute in the context of other users visiting the injected pages. This can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions performed on behalf of users without their consent. Since the attacker must have admin-level access, the risk is primarily from insider threats or compromised admin accounts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via admin settings in the Integrate Dynamics 365 CRM WordPress plugin up to version 1.1.1. Detection involves checking for malicious script injections in the plugin's admin settings pages. Since the vulnerability requires Administrator-level access to inject scripts, detection can focus on reviewing admin-configured fields for suspicious script tags or payloads. There are no specific commands provided in the resources to detect this vulnerability on a network or system. Manual inspection of the plugin's admin settings or scanning the WordPress database for injected scripts in plugin-related options may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Integrate Dynamics 365 CRM plugin to version 1.1.2 or later, which contains security fixes addressing this vulnerability by enhancing input sanitization and output escaping to prevent XSS attacks. If updating is not immediately possible, restrict Administrator-level access to trusted users only and audit existing admin settings for injected scripts. Applying the security update from version 1.1.1 to 1.1.2 is the recommended action to remediate the vulnerability. [3]