Description
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-17
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Integrate Dynamics 365 CRM WordPress plugin allows an attacker who can log in with Administrator or higher privileges to inject malicious scripts by altering the field mapping configuration. The vulnerability originates from missing sanitization of user‑supplied attributes and the lack of output escaping when those attributes are rendered in pages. Injected code will execute for every user who views the affected page, potentially enabling session hijacking, defacement, credential theft, or the spread of malware.

Affected Systems

WordPress sites that have the Integrate Dynamics 365 CRM plugin version 1.1.1 or earlier installed are affected. The plugin is identified as cyberlord92:Integrate Dynamics 365 CRM. No other versions or products are listed in the CVE data.

Risk and Exploitability

The vulnerability has a CVSS score of 4.4, indicating a low‑to‑moderate impact. The EPSS score of less than 1% suggests it is currently unlikely to be publicly exploited, and the issue is not present in the CISA KEV catalog. However, the attack requires authentication as an Administrator, so the risk is confined to internal users with elevated privileges. If an attacker gains such access, they can execute arbitrary JavaScript, but only on the sites where the plugin is present, and the effect is limited to the context of the infected site.

Generated by OpenCVE AI on April 15, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Integrate Dynamics 365 CRM plugin to a version newer than 1.1.1 that incorporates proper input sanitization and output escaping.
  • If an update is not immediately available, remove or disable the field‑mapping configuration capability for non‑Administrator accounts and consider disabling the plugin entirely until a fix is released.
  • Implement or enforce strict server‑side validation and escaping for all user‑supplied data in the plugin before rendering it in web pages.

Generated by OpenCVE AI on April 15, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Integrate Dynamics 365 CRM <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:57.040Z

Reserved: 2026-01-08T13:46:37.754Z

Link: CVE-2026-0725

cve-icon Vulnrichment

Updated: 2026-01-20T19:18:03.625Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T09:15:52.027

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:00:06Z

Weaknesses