CVE-2025-14854

Name of the Vulnerable Software and Affected Versions WP-CRM System plugin for WordPress versions up to and including 3.4.5

Description The WP-CRM System plugin for WordPress is susceptible to unauthorized access because of absent capability checks within the wpcrm get email recipients and wpcrm system ajax task change status AJAX functions. This allows authenticated attackers possessing subscriber-level access or higher to enumerate CRM contact email addresses, resulting in potential PII disclosure, and to modify CRM task statuses.

Recommendations Update the WP-CRM System plugin to a version later than 3.4.5.