Description
The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings_page function. This makes it possible for unauthenticated attackers to modify critical API connection settings including the AMO.CRM API URL, login credentials, and API hash key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the AMO.CRM WordPress integration, where the settings_page function omits proper nonce checks. This flaw allows an attacker, even without authentication, to craft a forged request that an unsuspecting site administrator might click. By doing so the attacker can change the plugin’s critical API connection details, including the API URL and login credentials. Such a compromise could lead to unauthorized access to the AMO.CRM account, data exfiltration, or further lateral movement within the WordPress installation.

Affected Systems

The issue affects the AMO.CRM plugin for WordPress, in all audited releases up to and including version 1.0.1. Any site running these versions is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 classifies this as a moderate severity flaw. The EPSS score of less than 1% indicates that exploitation is considered unlikely at the current time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires a user‑friendly lure, such as a malicious link or embedded iframe, delivered to a site administrator. Once the admin clicks the link, the forged request is sent from the admin’s browser, bypassing server‑side checks and allowing the attacker to alter API credentials.

Generated by OpenCVE AI on April 21, 2026 at 03:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AMO.CRM plugin to the latest released version that fixes the nonce validation issue
  • Ensure that all WordPress core and plugin administrative pages enforce a valid nonce for each POST request
  • Restrict administrator access to trusted IP addresses or enable two‑factor authentication to reduce the chance of an admin falling for a forged request

Generated by OpenCVE AI on April 21, 2026 at 03:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27667 The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings_page function. This makes it possible for unauthenticated attackers to modify critical API connection settings including the AMO.CRM API URL, login credentials, and API hash key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings_page function. This makes it possible for unauthenticated attackers to modify critical API connection settings including the AMO.CRM API URL, login credentials, and API hash key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title The integration of the AMO.CRM <= 1.0.1 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:06.692Z

Reserved: 2025-08-28T19:29:35.029Z

Link: CVE-2025-9628

cve-icon Vulnrichment

Updated: 2025-09-11T14:09:52.872Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:37.793

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses