Description
The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes.
Published: 2025-12-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress contains a missing capability check on the /wp-json/devs-crm/v1/attendances REST API endpoint. As a result, unauthenticated users can retrieve private user data, including password hashes. This leads to an Information Disclosure vulnerability with a medium severity rating (CVSS 5.3).

Affected Systems

WordPress sites that have installed the Devs CRM plugin version 1.1.8 or earlier, provided by vendor ajitdas, are susceptible to this flaw. The vulnerability is confined to the plugin’s REST interface and does not directly affect the core WordPress installation.

Risk and Exploitability

This vulnerability can be exploited remotely via HTTP by making unauthenticated requests to the public REST API endpoint. The EPSS score is below 1 % and the issue is not in CISA’s KEV catalog, indicating low current exploitation probability. However, because no credentials are needed and the endpoint returns sensitive data, the impact is significant. The CVSS score of 5.3 places it in the medium range, and the absence of authentication checks means attackers could potentially harvest password hashes under insecure configurations.

Generated by OpenCVE AI on April 21, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devs CRM plugin to the latest available version, which includes a proper capability check for the attendances endpoint.
  • If immediate upgrade is not possible, disable or remove the /wp-json/devs-crm/v1/attendances route, or add a custom capability check that limits access to authenticated users only.
  • Implement server‑side access controls, such as firewall or .htaccess rules, to block unauthenticated requests to any Devs CRM REST endpoints until a patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ajitdas
Ajitdas devs Crm
Wordpress
Wordpress wordpress
Vendors & Products Ajitdas
Ajitdas devs Crm
Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes.
Title Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Unauthenticated Information Expsoure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ajitdas Devs Crm
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:11.739Z

Reserved: 2025-11-12T20:40:30.930Z

Link: CVE-2025-13092

cve-icon Vulnrichment

Updated: 2025-12-15T15:24:57.061Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:46.993

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses