CVE-2025-12696

Vulnerability

Overview The HelloLeads CRM Form Shortcode WordPress plugin, version 1.0 and earlier, contains a missing authorization vulnerability in its settings reset functionality. The plugin does not perform any authorization or CSRF (Cross-Site Request Forgery) checks when processing a request to reset its settings. This allows unauthenticated users to trigger a settings reset, bypassing all access controls [1].

Exploitation

Details An attacker can exploit this vulnerability by crafting a simple HTTP request to the plugin's settings reset endpoint. No authentication is required, and since there is no CSRF protection, the attack can also be performed via a crafted link that, if clicked by an administrator, would reset the settings. However, the direct unauthenticated request vector is the most straightforward [1].

Impact

Successful exploitation causes the plugin's settings to be reverted to their default values. This can disrupt the plugin's functionality, potentially breaking any CRM form shortcodes configured on the site, leading to a partial denial of service or misconfiguration. The CVSS score for this issue is 5.3 (Medium), indicating a moderate severity [1].

Mitigation

Status According to the available advisory, there is currently no known fix or patched version available for this vulnerability. Site administrators using the HelloLeads CRM Form Shortcode plugin should consider disabling or removing the plugin until an update is released, or implement additional access control measures [1].