Plattform
wordpress
Komponente
web-to-sugarcrm-lead
Behoben in
1.0.1
CVE-2025-13361 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Web to SugarCRM Lead plugin for WordPress. This flaw allows unauthenticated attackers to delete custom fields within the SugarCRM integration if they can induce a site administrator to perform a malicious action. The vulnerability impacts versions 1.0.0 and earlier, and a patch is available in version 1.0.1.
The primary impact of this CSRF vulnerability is the unauthorized deletion of custom fields within the SugarCRM integration. An attacker could craft a malicious link or form that, when visited by an administrator, triggers the deletion of critical custom fields. This could disrupt data synchronization, corrupt existing records, and potentially lead to data loss. While the vulnerability requires administrator interaction, the ease of crafting a CSRF attack makes it a significant risk, especially on sites with shared administrator accounts or where administrators are frequently targeted by phishing campaigns. The blast radius is limited to the SugarCRM integration and the custom fields defined within it.
This vulnerability was publicly disclosed on 2025-12-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of CSRF exploitation suggests a potential for rapid exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 4.3 (Medium) reflects the potential for impact and the relatively low complexity of exploitation.
Websites utilizing the Web to SugarCRM Lead plugin for WordPress integration, particularly those with shared administrator accounts or those that are frequently targeted by phishing attacks, are at risk. Sites with custom fields critical to their SugarCRM data synchronization are especially vulnerable.
• wordpress / composer / npm:
grep -r 'delete_custom_field' /var/www/wordpress/wp-content/plugins/web-to-sugar-crm-lead/• wordpress / composer / npm:
wp plugin list --status=active | grep 'web-to-sugar-crm-lead'• generic web: Check WordPress plugin directory for updates and security advisories related to the Web to SugarCRM Lead plugin. • generic web: Review WordPress access logs for suspicious POST requests targeting custom field deletion endpoints.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade the Web to SugarCRM Lead plugin to version 1.0.1 or later, which addresses the missing nonce validation. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the custom field deletion endpoint that lack proper authentication. Additionally, educate administrators about the risks of clicking on suspicious links and verify the legitimacy of any requests before performing actions. Regularly review user permissions and restrict administrator access to only those who require it.
Aktualisieren Sie auf Version 1.0.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13361 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Web to SugarCRM Lead WordPress plugin, allowing attackers to delete custom fields.
You are affected if you are using the Web to SugarCRM Lead plugin version 1.0.0 or earlier.
Upgrade the Web to SugarCRM Lead plugin to version 1.0.1 or later to resolve the vulnerability.
While no public exploits are currently known, the ease of CSRF exploitation suggests a potential for rapid exploitation.
Refer to the WordPress plugin directory and the plugin developer's website for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.