Vulnerabilities and security researches forwp-leads-builder-any-crm wp-leads-builder-any-crm

Apr 02, 2025

CVE, Research URL: CVE-2025-30810
Home page URL: Security reports for Lead Form Data Collection to CRM
Application: Lead Form Data Collection to CRM
Date: Mar 27, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smackcoders Lead Form Data Collection to CRM allows Blind SQL Injection. This issue affects Lead Form Data Collection to CRM: from n/a through 3.0.1.
Affected versions: max 3.1.
Status: vulnerable

May 14, 2025

CVE, Research URL: CVE-2025-47690
Home page URL: Security reports for Lead Form Data Collection to CRM
Application: Lead Form Data Collection to CRM
Date: May 23, 2025
Research Description: Missing Authorization vulnerability in smackcoders Lead Form Data Collection to CRM allows Privilege Escalation. This issue affects Lead Form Data Collection to CRM: from n/a through 3.1.
Affected versions: max 3.1.
Status: vulnerable

Jul 04, 2025

CVE, Research URL: CVE-2025-5692
Home page URL: Security reports for Lead Form Data Collection to CRM
Application: Lead Form Data Collection to CRM
Date: Jul 02, 2025
Research Description: The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable.
Affected versions: max 3.2.
Status: vulnerable