Description
The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.
Published: 2025-07-02
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Update Plugin
AI Analysis

Impact

The Lead Form Data Collection to CRM plugin has a missing capability check in its AJAX handling file, which allows users with Subscriber-level access and above to invoke privileged actions such as updating plugin settings. This flaw falls under the missing authorization category and can be used by an attacker who is already authenticated on the site to change configuration data. The vulnerability does not grant direct code execution but elevates the attacker’s influence within the site’s settings.

Affected Systems

This issue affects the Lead Form Data Collection to CRM plugin from SmackCoders, all releases up to and including version 3.1 on WordPress installations. Systems running any of these versions with a web interface and a valid subscriber or higher user account are vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity. The EPSS score of <1% suggests a low probability of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. The attack vector is most likely web-based, requiring an attacker to be authenticated with at least a Subscriber role and to send crafted AJAX requests to the LB_admin_ajax.php endpoint. No additional local privileges are needed beyond the normal Subscriber permissions.

Generated by OpenCVE AI on April 22, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Lead Form Data Collection to CRM plugin to a version newer than 3.1 that includes the missing capability check.
  • If an immediate upgrade is not possible, modify the plugin’s capability checks or remove the affected AJAX endpoints for users below the Administrator role to prevent unauthorized access.
  • Review and limit the capabilities granted to Subscriber or lower roles, ensuring they do not include administrative privileges required by the plugin’s settings functions.

Generated by OpenCVE AI on April 22, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19710 The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.
History

Wed, 27 Aug 2025 14:00:00 +0000

Type Values Removed Values Added
Description The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable. The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates.
Title Lead Form Data Collection to CRM <= 3.1 - Authenticated (Subscriber+) Arbitrary Options Update Lead Form Data Collection to CRM <= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00045}

 epss

{'score': 0.00046}

Thu, 10 Jul 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Smackcoders
Smackcoders lead Form Data Collection To Crm
CPEs cpe:2.3:a:smackcoders:lead_form_data_collection_to_crm:*:*:*:*:*:wordpress:*:*
Vendors & Products Smackcoders
Smackcoders lead Form Data Collection To Crm

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable.
Title Lead Form Data Collection to CRM <= 3.1 - Authenticated (Subscriber+) Arbitrary Options Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Smackcoders Lead Form Data Collection To Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:41.444Z

Reserved: 2025-06-04T20:04:29.128Z

Link: CVE-2025-5692

cve-icon Vulnrichment

Updated: 2025-07-02T13:05:28.766Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-02T03:15:23.680

Modified: 2025-09-30T18:12:42.180

Link: CVE-2025-5692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:15:22Z

Weaknesses