What the vulnerability does
01Description
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters.
Explanation of Vulnerability in Simple Terms
02Summary
The Integrate Dynamics 365 CRM product through version 1.0.9 contains a missing authentication mechanism that allows unauthenticated network access to read and modify data. An attacker can access the application without credentials and retrieve or alter sensitive information. No user interaction is required. Update to a version newer than 1.0.9.
What an attacker can do
03Attacker Capabilities
Read and modify sensitive data without providing credentials.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter data in your Dynamics 365 CRM integration without logging in.
Conditions required to exploit
05Prerequisites
Network access to the application; no authentication required.
Key dates
06Disclosure timeline
October 4, 2025
CVE published
April 8, 2026
Record updated