{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12696", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-11-04T13:57:14.225Z", "datePublished": "2025-12-14T06:00:02.516Z", "dateUpdated": "2026-04-02T12:39:52.989Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:52.989Z"}, "title": "HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "HelloLeads CRM Form Shortcode", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.0"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them"}], "references": [{"url": "https://wpscan.com/vulnerability/e552dfc8-c6e1-4605-bc36-30dc4066eaea/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Khaled Alenazi (Nxploited)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T14:45:37.130430Z", "id": "CVE-2025-12696", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T14:45:40.689Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-12696", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T14:45:37.130430Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T14:45:23.845Z"}}], "cna": {"title": "HelloLeads CRM Form Shortcode <= 1.0 - Unauthenticated Settings Reset", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Alenazi (Nxploited)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "HelloLeads CRM Form Shortcode", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/e552dfc8-c6e1-4605-bc36-30dc4066eaea/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862 Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:52.989Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12696", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:52.989Z", "dateReserved": "2025-11-04T13:57:14.225Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-12-14T06:00:02.516Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them"}], "id": "CVE-2025-12696", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-14T06:15:37.267", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/e552dfc8-c6e1-4605-bc36-30dc4066eaea/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:29:16.210223+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s latest patch or upgrade the HelloLeads CRM Form Shortcode plugin to a version that includes proper authentication and CSRF checks for the settings reset feature.", "If a patch is not yet available, block the reset endpoint with a web application firewall rule or by disabling the plugin until an update is released.", "Review the plugin\u2019s remaining exposed endpoints and audit the WordPress configuration for other insecure functionalities; apply general WordPress hardening best practices such as restricting user roles, disabling file editing from the dashboard, and monitoring for unauthorized configuration changes."], "summary": {"action": "Assess & Patch", "impact": "Unauthenticated Settings Reset"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the HelloLeads CRM Form Shortcode plugin for WordPress, versions up to 1.0. All WordPress installations that include this plugin prior to an updated version are at risk; no other vendors or versions are currently known to be impacted.", "description_and_impact": "The HelloLeads CRM Form Shortcode WordPress plugin up to version 1.0 lacks any authorization or CSRF protection when resetting its settings. An attacker can send a request to the reset endpoint without authenticating and force the plugin to revert to its default configuration, potentially disrupting application behavior, exposing sensitive configuration data, or weakening defenses for future attacks. The flaw primarily affects configuration integrity and availability of the WordPress site hosting the plugin.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, while the EPSS score of less than 1% points to a low probability of public exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely target the reset URL directly, as no CSRF token or authentication check exists. Because the flaw requires only the presence of the request URL, any user who can reach the site could trigger a reset, underscoring the importance of mitigations even in low\u2011exploitation scenarios."}}}}, "created": "2025-12-15T14:05:54.527443+00:00", "updated": "2026-04-27T22:30:14.459896+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-284", "CWE-352"]}