CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
What the vulnerability does
The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes.
Explanation of Vulnerability in Simple Terms
Devs CRM versions up to 1.1.8 lack proper authorization checks, allowing unauthenticated attackers to read sensitive information through network requests. The vulnerability requires no user interaction and affects the confidentiality of data stored in the application. Site administrators should update to a version newer than 1.1.8 as soon as available.
What an attacker can do
Read sensitive data from the CRM without logging in.
Potential impact on your site
Unauthorized users can access confidential task, attendance, and team information stored in your CRM.
Conditions required to exploit
Network access to the CRM application; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
