WP-CRM System Missing Authorization Vulnerability Allows PII Exposure and Task Modification

A vulnerability exists in the WP-CRM System plugin for WordPress, specifically in versions through 3.4.5. The issue arises from inadequate capability checks on two AJAX functions, wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status. This flaw enables authenticated attackers with subscriber-level access or higher to access and enumerate CRM contact email addresses, leading to unauthorized disclosure of personal information. Additionally, these attackers can modify the statuses of CRM tasks, potentially disrupting workflow and task management processes.

Impact

Exploitation of this vulnerability allows for unauthorized access to personal information, specifically CRM contact email addresses, and unauthorized modification of CRM task statuses.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the wpcrm_get_email_recipients AJAX function without the necessary capability checks. This request can include a recipient parameter to search for email addresses. Similarly, the wpcrm_system_ajax_task_change_status function can be called to change the status of a CRM task, again bypassing authorization requirements.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.