cleantalk
Vulnerabilities and Security Researches

CRM and Lead Management by vcita, CVE-2023-2405

CVE, Research URL

CVE-2023-2405

Home page URL

Security reports for CRM and Lead Management by vcita

Application

CRM and Lead Management by vcita

Published on
Jun 03, 2023
Research Description
The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 2.7.1.
Status
vulnerable
Previous vulnerability researches
CRM and Lead Management by vcita (CVE-2024-13702) , Mar 27, 2025
CRM and Lead Management by vcita (CVE-2024-13703) , Mar 14, 2025
CRM and Lead Management by vcita (CVE-2023-2405) , Jun 07, 2024
CRM and Lead Management by vcita (CVE-2023-2404) , Jun 07, 2024
New vulnerability
Able Player, accessible HTML5 media player (CVE-2025-46475) , Apr 26, 2025
Dropdown Content (CVE-2025-46478) , Apr 26, 2025
BeerXML Shortcode (CVE-2025-46511) , Apr 26, 2025
WP AVCL Automation Helper (formerly WPFlyLeads) (CVE-2025-46531) , Apr 26, 2025
Multi-Column Taxonomy List (CVE-2025-46491) , Apr 26, 2025