Description
The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of custom fields via Cross‑Site Request Forgery
Action: Apply Patch
AI Analysis

Impact

The Web to SugarCRM Lead plugin for WordPress fails to validate a nonce when deleting custom fields, allowing an attacker to perform a Cross‑Site Request Forgery (CSRF). An unauthenticated attacker only needs to trick a site administrator into clicking a forged link. The result is the irreversible removal of custom field definitions, which can disrupt data mapping, lead management, and overall record integrity. This weakness is classified under CWE‑352 – Cross‑Site Request Forgery.

Affected Systems

The vulnerability affects the dipesh_patel Web to SugarCRM Lead plugin on WordPress installations. All releases up to and including version 1.0.0 are impacted; later releases (if any) have not been indicated as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, and the EPSS score of less than 1% implies a low probability of exploitation in the near term. The weakness is not listed in CISA’s KEV catalog, further suggesting limited observed exploitation. However, because the attack vector is a simple web‑based CSRF, any administrator exposed to a malicious link could trigger the deletion. The impact is limited to data integrity and availability (loss of custom field data), but the attack is possible without authentication.

Generated by OpenCVE AI on April 21, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Web to SugarCRM Lead plugin to a version that implements nonce validation on deletion (if a newer version is available).
  • If no update exists, modify or remove the deletion functionality—either by adding a custom nonce check or by disabling the feature entirely to prevent unauthenticated requests from succeeding.
  • Deploy a generic WordPress CSRF protection plugin or harden the administration interface so that all state‑changing actions require a valid token, and monitor admin pages for unusual or repeated deletion attempts.

Generated by OpenCVE AI on April 21, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Dipesh Patel
Dipesh Patel web To Sugarcrm Lead
Wordpress
Wordpress wordpress
Vendors & Products Dipesh Patel
Dipesh Patel web To Sugarcrm Lead
Wordpress
Wordpress wordpress

Mon, 22 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Web to SugarCRM Lead <= 1.0.0 - Cross-Site Request Forgery to Custom Field Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Dipesh Patel Web To Sugarcrm Lead
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:41.914Z

Reserved: 2025-11-18T16:36:29.595Z

Link: CVE-2025-13361

cve-icon Vulnrichment

Updated: 2025-12-22T15:43:15.187Z

cve-icon NVD

Status : Deferred

Published: 2025-12-21T04:16:04.350

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses