Description
The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them
Published: 2025-12-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Settings Reset
Action: Assess & Patch
AI Analysis

Impact

The HelloLeads CRM Form Shortcode WordPress plugin up to version 1.0 lacks any authorization or CSRF protection when resetting its settings. An attacker can send a request to the reset endpoint without authenticating and force the plugin to revert to its default configuration, potentially disrupting application behavior, exposing sensitive configuration data, or weakening defenses for future attacks. The flaw primarily affects configuration integrity and availability of the WordPress site hosting the plugin.

Affected Systems

The vulnerability affects the HelloLeads CRM Form Shortcode plugin for WordPress, versions up to 1.0. All WordPress installations that include this plugin prior to an updated version are at risk; no other vendors or versions are currently known to be impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, while the EPSS score of less than 1% points to a low probability of public exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely target the reset URL directly, as no CSRF token or authentication check exists. Because the flaw requires only the presence of the request URL, any user who can reach the site could trigger a reset, underscoring the importance of mitigations even in low‑exploitation scenarios.

Generated by OpenCVE AI on April 27, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or upgrade the HelloLeads CRM Form Shortcode plugin to a version that includes proper authentication and CSRF checks for the settings reset feature.
  • If a patch is not yet available, block the reset endpoint with a web application firewall rule or by disabling the plugin until an update is released.
  • Review the plugin’s remaining exposed endpoints and audit the WordPress configuration for other insecure functionalities; apply general WordPress hardening best practices such as restricting user roles, disabling file editing from the dashboard, and monitoring for unauthorized configuration changes.

Generated by OpenCVE AI on April 27, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-352

Mon, 15 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 14 Dec 2025 06:15:00 +0000

Type Values Removed Values Added
Description The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them
Title HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:52.989Z

Reserved: 2025-11-04T13:57:14.225Z

Link: CVE-2025-12696

cve-icon Vulnrichment

Updated: 2025-12-15T14:45:23.845Z

cve-icon NVD

Status : Deferred

Published: 2025-12-14T06:15:37.267

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:30:14Z

Weaknesses