cleantalk
Vulnerabilities and Security Researches

WordPress CRM Plugin – WP-CRM System, CVE-2025-14854

CVE, Research URL

CVE-2025-14854

Home page URL

Security reports for WordPress CRM Plugin – WP-CRM System

Application

WordPress CRM Plugin – WP-CRM System

Published on
Jan 14, 2026
Research Description
The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses.
Affected versions
max 3.4.5.
Status
vulnerable
Previous vulnerability researches
Netgsm (CVE-2025-68010) , Jan 27, 2026
Netgsm (CVE-2024-35672) , Jun 07, 2024
Netgsm (CVE-2024-4746) , Jun 07, 2024
Netgsm (CVE-2024-32544) , Jun 07, 2024
Netgsm (CVE-2025-60143) , Oct 11, 2025
New vulnerability
APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps (CVE-2025-68881) , Jan 28, 2026
Simple Calendar – Google Calendar Plugin (CVE-2025-68979) , Jan 28, 2026
Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form (CVE-2025-14901) , Jan 28, 2026
IMGspider – 图片采集抓取插件 (CVE-2026-22482) , Jan 28, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2025-15380) , Jan 28, 2026