CVE-2025-62740

Vulnerability

Overview

The WP-CRM System plugin for WordPress plugin, versions up to and including 3.4.6, contains a missing authorization vulnerability [1]. This broken access control issue means that certain functions lack proper checks for user permissions or nonce tokens, allowing unprivileged users to execute actions that should require higher privileges [1].

Exploitation

An attacker can exploit this vulnerability without needing only network access to a site running the vulnerable plugin. No authentication is required, or a low-privileged account may be sufficient, depending on the specific missing check [1]. The vulnerability is classified as a broken access control issue, which is a common target for mass-exploit campaigns [1].

Impact

Successful exploitation allows an unprivileged attacker to perform actions normally restricted to higher-level users, such as modifying or accessing sensitive data, altering plugin settings, or other unauthorized operations [1]. The CVSS score of 5.3 (Medium) reflects the potential for significant potential for unauthorized access and data manipulation [1].

Mitigation

The vendor has released a fix in version 3.4.7 or later. Users are strongly recommended to update immediately [1]. If immediate update is not possible, users should contact their hosting provider or web developer for assistance [1]. This vulnerability is listed in the Patchstack database and is known to be used in automated attacks [1].