Metrics
Affected Vendors & Products
Wed, 27 Aug 2025 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable. | The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/includes/LB_admin_ajax.php file in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform several actions like updating settings. Initially this CVE was assigned specifically to all AJAX actions and the doFieldAjaxAction() function, however it was determined that CVE-2025-47690 is assigned to the doFieldAjaxAction() function that leads to arbitrary options updates. |
Title | Lead Form Data Collection to CRM <= 3.1 - Authenticated (Subscriber+) Arbitrary Options Update | Lead Form Data Collection to CRM <= 3.1 - Missing Authorization to Authenticated (Subscriber+) Many Actions |
Metrics |
cvssV3_1
|
cvssV3_1
|
Fri, 11 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|
Thu, 10 Jul 2025 16:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Smackcoders
Smackcoders lead Form Data Collection To Crm |
|
CPEs | cpe:2.3:a:smackcoders:lead_form_data_collection_to_crm:*:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Smackcoders
Smackcoders lead Form Data Collection To Crm |
Wed, 02 Jul 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 02 Jul 2025 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable. | |
Title | Lead Form Data Collection to CRM <= 3.1 - Authenticated (Subscriber+) Arbitrary Options Update | |
Weaknesses | CWE-862 | |
References |
|
|
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2025-08-27T13:46:51.184Z
Reserved: 2025-06-04T20:04:29.128Z
Link: CVE-2025-5692

Updated: 2025-07-02T13:05:28.766Z

Status : Modified
Published: 2025-07-02T03:15:23.680
Modified: 2025-08-27T14:15:54.167
Link: CVE-2025-5692

No data.

No data.