Vulnerabilities and security researches forwp-crm-system wp-crm-system

Jan 28, 2026

CVE, Research URL: CVE-2025-62106
Home page URL: Security reports for WordPress CRM Plugin – WP-CRM System
Application: WordPress CRM Plugin – WP-CRM System
Date: Jan 22, 2026
Research Description: Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.5.
Affected versions: max 3.4.5.
Status: vulnerable

CVE, Research URL: CVE-2025-14854
Home page URL: Security reports for WordPress CRM Plugin – WP-CRM System
Application: WordPress CRM Plugin – WP-CRM System
Date: Jan 14, 2026
Research Description: The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses.
Affected versions: max 3.4.5.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-62740
Home page URL: Security reports for WordPress CRM Plugin – WP-CRM System
Application: WordPress CRM Plugin – WP-CRM System
Date: Dec 09, 2025
Research Description: Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.5.
Affected versions: max 3.4.5.
Status: vulnerable

Jun 15, 2025

CVE, Research URL: CVE-2025-49270
Home page URL: Security reports for WordPress CRM Plugin – WP-CRM System
Application: WordPress CRM Plugin – WP-CRM System
Date: Jun 06, 2025
Research Description: Missing Authorization vulnerability in Mario Peshev WP-CRM System allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP-CRM System: from n/a through 3.4.2.
Affected versions: max 3.4.3.
Status: vulnerable

May 09, 2025

CVE, Research URL: CVE-2025-47629
Home page URL: Security reports for WordPress CRM Plugin – WP-CRM System
Application: WordPress CRM Plugin – WP-CRM System
Date: May 07, 2025
Research Description: Deserialization of Untrusted Data vulnerability in Mario Peshev WP-CRM System allows Object Injection. This issue affects WP-CRM System: from n/a through 3.4.1.
Affected versions: max 3.4.2.
Status: vulnerable

Dec 21, 2024

CVE, Research URL: CVE-2024-55991
Home page URL: Security reports for WordPress CRM Plugin – WP-CRM System
Application: WordPress CRM Plugin – WP-CRM System
Date: Dec 31, 2024
Research Description: Missing Authorization vulnerability in WP-CRM WP-CRM System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through 3.2.9.1.
Affected versions: max 3.2.9.1.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: CVE-2024-30434
Home page URL: Security reports for WordPress CRM Plugin – WP-CRM System
Application: WordPress CRM Plugin – WP-CRM System
Date: Mar 29, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP-CRM System allows Stored XSS.This issue affects WP-CRM System: from n/a through 3.2.9.
Affected versions: max 3.2.9.1.
Status: vulnerable