Description
The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. CVE-2025-62106 is likely a duplicate of this issue.
Published: 2026-01-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality and Integrity Exposure
Action: Patch
AI Analysis

Impact

The WP‑CRM System plugin for WordPress contains a missing authorization check on two AJAX endpoints that control contact email visibility and task status changes. When present, an authenticated user with subscriber or higher privileges can request the internal function that lists all CRM contact email addresses, thereby revealing personally identifiable information. The same lack of capability checks also allows a legitimate subscriber account to change the status of any CRM task. These actions do not grant code execution or administrative control, but they do compromise the confidentiality of sensitive contact data and the integrity of task management, both of which are critical to project tracking and client privacy.

Affected Systems

The vulnerability affects the WP‑CRM System plugin developed by nofearinc, with all releases up to and including 3.4.5 susceptible. Versions 3.4.6 and later contain the necessary capability checks that prevent these unauthorized actions.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity, while the EPSS score of less than 1% suggests the exploitation probability is low at present. The flaw is not documented in CISA’s KEV catalog. An attacker must be authenticated – typically as a subscriber or higher user – to exploit the flaw, which can be performed from any remote location where the WordPress site is accessible. The lack of protection allows enumeration of sensitive data and alteration of task records, thereby exposing private email addresses and potentially allowing malicious re‑ordering or blocking of tasks. Overall, the risk is moderate but non‑negligible for deployments that rely on strict role separation or where subscriber accounts hold access to sensitive information.

Generated by OpenCVE AI on April 20, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP‑CRM System plugin to version 3.4.6 or later.
  • Revoke or restrict the capabilities that allow subscribers to invoke the wpcrm_get_email_recipients or wpcrm_system_ajax_task_change_status functions using the WordPress role editor.
  • If an immediate update is not possible, temporarily block the AJAX endpoints by denying access to the wpcrm-site-ajax.php script or by configuring a firewall rule that limits the affected URLs to administrators only.

Generated by OpenCVE AI on April 20, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. CVE-2025-62106 is likely a duplicate of this issue.
References

Thu, 15 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp-crm
Wp-crm wp-crm System
Vendors & Products Wordpress
Wordpress wordpress
Wp-crm
Wp-crm wp-crm System

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses.
Title WP-CRM System – Manage Clients and Projects <= 3.4.5 - Missing Authorization to Authenticated (Subscriber+) CRM Data Exposure and Task Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wp-crm Wp-crm System
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:19.435Z

Reserved: 2025-12-17T20:47:41.920Z

Link: CVE-2025-14854

cve-icon Vulnrichment

Updated: 2026-01-15T17:26:22.580Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:53.357

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses