{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13093", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-12T20:43:33.736Z", "datePublished": "2025-12-13T04:31:27.311Z", "dateUpdated": "2026-04-08T17:01:54.080Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:54.080Z"}, "affected": [{"vendor": "ajitdas", "product": "Devs CRM \u2013 Manage tasks, attendance and teams all together", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Devs CRM \u2013 Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update leads tags."}], "title": "Devs CRM \u2013 Manage tasks, attendance and teams all together <= 1.1.8 - Missing Authorization to Unauthenticated Lead Tag Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78794ea4-6eff-4e6f-af0a-dd8cab8ac859?source=cve"}, {"url": "https://wordpress.org/plugins/devs-crm/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-12T16:08:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:25:06.655205Z", "id": "CVE-2025-13093", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:33:54.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:25:06.655205Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:25:07.717Z"}}], "cna": {"title": "Devs CRM \u2013 Manage tasks, attendance and teams all together <= 1.1.8 - Missing Authorization to Unauthenticated Lead Tag Update", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "ajitdas", "product": "Devs CRM \u2013 Manage tasks, attendance and teams all together", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T16:08:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78794ea4-6eff-4e6f-af0a-dd8cab8ac859?source=cve"}, {"url": "https://wordpress.org/plugins/devs-crm/"}], "descriptions": [{"lang": "en", "value": "The Devs CRM \u2013 Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update leads tags."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-13T04:31:27.311Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13093", "state": "PUBLISHED", "dateUpdated": "2025-12-15T15:33:54.817Z", "dateReserved": "2025-11-12T20:43:33.736Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:27.311Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Devs CRM \u2013 Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update leads tags."}], "id": "CVE-2025-13093", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:47.143", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/devs-crm/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/78794ea4-6eff-4e6f-af0a-dd8cab8ac859?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:12:17.619492+00:00", "value": {"mitigation_remediation": ["Update the Devs CRM plugin to the latest version that includes the missing capability check.", "If an immediate update is not possible, block or restrict unauthenticated access to the /wp-json/devs-crm/v1/bulk-update endpoint using a firewall rule or by adding a custom capability check in the plugin code.", "Monitor lead tag changes and audit REST API activity for suspicious bulk update attempts."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Data Modification"}, "threat_synthesis": {"affected_systems": "All installations of the Devs CRM \u2013 Manage tasks, attendance and teams all together WordPress plugin with a version of 1.1.8 or earlier are affected. No other vendors or products are listed.", "description_and_impact": "The Devs CRM \u2013 Manage tasks, attendance and teams all together plugin for WordPress contains a missing capability check on the /wp-json/devs-crm/v1/bulk-update REST\u2011API endpoint in all versions up to and including 1.1.8. This absence of authorization allows unauthenticated attackers to modify lead tags in bulk, thereby changing data stored in the CRM. The vulnerability does not grant code execution or direct access to the server, but it compromises data integrity by enabling unauthorized modification of lead information.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. The EPSS score of < 1% reflects a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw by sending unauthenticated HTTP requests to the /wp-json/devs-crm/v1/bulk-update endpoint, resulting in unauthorized changes to lead tags. No additional credentials or privileged access are required, making the exploitation path straightforward for attackers."}}}}, "created": "2025-12-14T21:14:53.021117+00:00", "updated": "2026-04-22T00:15:03.775273+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}