Primary

Context

HelloLeads CRM Form Shortcode WordPress Plugin Unauthenticated Settings Reset Vulnerability

Vulnerability

A vulnerability exists in the HelloLeads CRM Form Shortcode WordPress plugin, versions through 1.0, due to the absence of authorization and Cross-Site Request Forgery (CSRF) protections when resetting plugin settings. This flaw allows unauthenticated users to reset the plugin's configuration.

Impact

Exploitation of this vulnerability allows for unauthorized users to reset the plugin's settings, potentially disrupting user configurations or workflows.

Reproduction

To reproduce this vulnerability, first configure the HelloLeads CRM Form Shortcode plugin with an API key. Then, send a POST request to 'wp-admin/admin-ajax.php' with the action 'hls_crmf_reset_crm_config' and a token value of 'reset'. This request will reset the API key, demonstrating the vulnerability.

Added: Dec 14, 2025, 6:19 AM

Updated: Dec 14, 2025, 6:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HelloLeads CRM Form Shortcode WordPress Plugin Unauthenticated Settings Reset Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating