CVE-2025-5692

Name of the Vulnerable Software and Affected Versions: Lead Form Data Collection to CRM plugin for WordPress versions up to, and including, 3.1

Description: The issue allows unauthorized modification of data, leading to privilege escalation due to a missing capability check on the doFieldAjaxAction() function. This enables authenticated attackers with Subscriber-level access and above to update arbitrary options on the WordPress site, potentially updating the default role for registration to administrator and enabling user registration for attackers to gain administrative user access.

Recommendations: For versions up to, and including, 3.1, update to a version that includes a fix for the missing capability check in the doFieldAjaxAction() function. As a temporary workaround, consider disabling the doFieldAjaxAction() function until a patch is available. Restrict access to AJAX actions handling plugin settings to minimize the risk of exploitation.