Medium severity5.3NVD Advisory· Published Dec 13, 2025· Updated Apr 15, 2026

CVE-2025-13093

Description

The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update leads tags.

Affected products

WordPress/Devs CRMreferences
Package: https://wordpress.org/plugins/devs-crm
Devs CRM/Devs CRM – Manage tasks, attendance and teams all togetherllm-create
Range: <=1.1.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wordpress.org/plugins/devs-crm/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/78794ea4-6eff-4e6f-af0a-dd8cab8ac859nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000