CVE-2025-13312 MEDIUM

CVE-2025-13312: CRM Memberships <= 2.5 - Missing Authorization to Unauthenticated 'ntzcrm_add_new_tag' AJAX Action

Vendor Dripadmin

Product CRM Memberships

Weakness CWE-862 · Missing authorization

Published December 5, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm_add_new_tag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags and modify CRM configuration that should be restricted to administrators.

Explanation of Vulnerability in Simple Terms

02Summary

CRM Memberships versions 2.5 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify data on the site. The vulnerability requires no user interaction and can be exploited over the network. Site administrators should update to a version newer than 2.5 immediately.

What an attacker can do

03Attacker Capabilities

Modify site data without logging in or having permission to do so.

Potential impact on your site

04Site Impact

Unauthorized users can alter membership records, settings, or other protected data without credentials.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

December 5, 2025 CVE published

April 8, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-13312 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities