{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13092", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-12T20:40:30.930Z", "datePublished": "2025-12-13T04:31:32.532Z", "dateUpdated": "2026-04-08T17:21:11.739Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:11.739Z"}, "affected": [{"vendor": "ajitdas", "product": "Devs CRM \u2013 Manage tasks, attendance and teams all together", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Devs CRM \u2013 Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes."}], "title": "Devs CRM \u2013 Manage tasks, attendance and teams all together <= 1.1.8 - Unauthenticated Information Expsoure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c67c520d-4843-4ef1-8c96-cbf0eaab58cb?source=cve"}, {"url": "https://wordpress.org/plugins/devs-crm/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-12T16:08:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:24:56.011238Z", "id": "CVE-2025-13092", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:33:23.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13092", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:24:56.011238Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:24:57.061Z"}}], "cna": {"title": "Devs CRM \u2013 Manage tasks, attendance and teams all together <= 1.1.8 - Unauthenticated Information Expsoure", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "ajitdas", "product": "Devs CRM \u2013 Manage tasks, attendance and teams all together", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T16:08:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c67c520d-4843-4ef1-8c96-cbf0eaab58cb?source=cve"}, {"url": "https://wordpress.org/plugins/devs-crm/"}], "descriptions": [{"lang": "en", "value": "The Devs CRM \u2013 Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:11.739Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13092", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:11.739Z", "dateReserved": "2025-11-12T20:40:30.930Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:32.532Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Devs CRM \u2013 Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes."}], "id": "CVE-2025-13092", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:46.993", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/devs-crm/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c67c520d-4843-4ef1-8c96-cbf0eaab58cb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:09:44.467308+00:00", "value": {"mitigation_remediation": ["Upgrade Devs CRM plugin to the latest available version, which includes a proper capability check for the attendances endpoint.", "If immediate upgrade is not possible, disable or remove the /wp-json/devs-crm/v1/attendances route, or add a custom capability check that limits access to authenticated users only.", "Implement server\u2011side access controls, such as firewall or .htaccess rules, to block unauthenticated requests to any Devs\u00a0CRM REST endpoints until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Devs CRM plugin version\u00a01.1.8 or earlier, provided by vendor ajitdas, are susceptible to this flaw. The vulnerability is confined to the plugin\u2019s REST interface and does not directly affect the core WordPress installation.", "description_and_impact": "The Devs CRM \u2013 Manage tasks, attendance and teams all together plugin for WordPress contains a missing capability check on the /wp-json/devs-crm/v1/attendances REST API endpoint. As a result, unauthenticated users can retrieve private user data, including password hashes. This leads to an Information Disclosure vulnerability with a medium severity rating (CVSS\u00a05.3).", "risk_and_exploitability": "This vulnerability can be exploited remotely via HTTP by making unauthenticated requests to the public REST API endpoint. The EPSS score is below 1\u00a0% and the issue is not in CISA\u2019s KEV catalog, indicating low current exploitation probability. However, because no credentials are needed and the endpoint returns sensitive data, the impact is significant. The CVSS score of 5.3 places it in the medium range, and the absence of authentication checks means attackers could potentially harvest password hashes under insecure configurations."}}}}, "created": "2025-12-14T21:15:03.123223+00:00", "updated": "2026-04-21T17:15:25.335439+00:00", "vendors": ["ajitdas", "ajitdas$PRODUCT$devs_crm", "wordpress", "wordpress$PRODUCT$wordpress"]}