Devs CRM WordPress Plugin Missing Authorization Vulnerability in Bulk Update REST API Endpoint

Vulnerability

A vulnerability exists in the Devs CRM WordPress plugin, specifically in versions through 1.1.8, allowing unauthorized data modification. The issue arises from a lack of capability checks on the '/wp-json/devs-crm/v1/bulk-update' REST API endpoint. This flaw enables unauthenticated attackers to alter lead tags.

Impact

Exploitation of this vulnerability allows for unauthorized users to modify lead tags, potentially leading to mismanagement of task and attendance data.

Added: Dec 13, 2025, 5:17 PM

Updated: Dec 13, 2025, 5:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

1.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

1.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Devs CRM WordPress Plugin Missing Authorization Vulnerability in Bulk Update REST API Endpoint

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating