cleantalk
Vulnerabilities and Security Researches

Lead Form Data Collection to CRM, CVE-2025-5692

CVE, Research URL

CVE-2025-5692

Home page URL

Security reports for Lead Form Data Collection to CRM

Application

Lead Form Data Collection to CRM

Published on
Jul 02, 2025
Research Description
The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable.
Affected versions
Min -, max 3.2.
Status
vulnerable
Previous vulnerability researches
Easy WP Optimizer – Optimize DB & WordPress (CVE-2025-32147) , Apr 06, 2025
WP Optimizer (CVE-2025-53314) , Jul 03, 2025
TGG WP Optimizer (CVE-2025-31463) , Apr 02, 2025
New vulnerability
WP Map Block – Gutenberg Map Block for Google Map and OpenStreet Map (CVE-2025-5194) , Jul 04, 2025
Amazon Products to WooCommerce (CVE-2025-5817) , Jul 04, 2025
WP-Recall – Registration, Profile, Commerce & More (CVE-2025-49991) , Jul 04, 2025
WP-Recall – Registration, Profile, Commerce & More (CVE-2025-52796) , Jul 04, 2025
Navayan Subscribe (CVE-2025-53311) , Jul 04, 2025