cleantalk
Vulnerabilities and Security Researches

Lead Form Data Collection to CRM, CVE-2025-5692

CVE, Research URL

CVE-2025-5692

Home page URL

Security reports for Lead Form Data Collection to CRM

Application

Lead Form Data Collection to CRM

Published on
Jul 02, 2025
Research Description
The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable.
Affected versions
Min -, max 3.2.
Status
vulnerable
Previous vulnerability researches
GNA Search Shortcode (CVE-2025-46540) , Apr 26, 2025
New vulnerability
AI ChatBot (CVE-2025-53200) , Jul 04, 2025
IS-theme-companion (CVE-2025-53277) , Jul 04, 2025
Lead Form Data Collection to CRM (CVE-2025-5692) , Jul 04, 2025
Drive Folder Embedder (CVE-2025-6546) , Jul 04, 2025
WP Roadmap – Product Feedback Board (CVE-2025-52822) , Jul 04, 2025