WP-Safety

Devs CRM – Manage tasks, attendance and teams all together Security & Risk Analysis

wordpress.org/plugins/devs-crm

DevCRM simplifies project management and member attendance and tasks tracking for your teams.

0 active installs v1.1.9 PHP 7.4.25+ WP 4.6+ Updated Dec 24, 2025
attendance-trackingcrmemployee-managementtasks-management
56
C · Use Caution
CVEs total2
Unpatched2
Last CVEDec 12, 2025
Download
Safety Verdict

Is Devs CRM – Manage tasks, attendance and teams all together Safe to Use in 2026?

Use With Caution

Score 56/100

Devs CRM – Manage tasks, attendance and teams all together has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

2 known CVEs 2 unpatched Last CVE: Dec 12, 2025Updated 4mo ago
Risk Assessment

The "devs-crm" plugin v1.1.9 exhibits a mixed security posture. On the positive side, the plugin demonstrates strong adherence to secure coding practices regarding SQL queries, utilizing prepared statements exclusively, and ensuring all output is properly escaped. The presence of numerous nonce and capability checks also indicates an awareness of WordPress security best practices.

However, significant concerns arise from the attack surface analysis. The plugin exposes 54 REST API routes, with a notable 2 routes lacking permission callbacks. This creates a direct entry point for unauthenticated users to interact with potentially sensitive functionality. The taint analysis, while reporting zero flows, may not be comprehensive if not all entry points were thoroughly analyzed for potential taint. The plugin's vulnerability history is particularly concerning, with 2 currently unpatched medium severity CVEs, both attributed to missing authorization. This pattern suggests a recurring weakness in how the plugin handles user permissions, which is a critical aspect of web application security.

In conclusion, while the plugin has strengths in its handling of database queries and output, the identified unpatched vulnerabilities and the presence of unprotected REST API endpoints represent significant security risks. The recurring theme of missing authorization in past vulnerabilities demands immediate attention. The plugin requires urgent remediation of its unpatched CVEs and a thorough review of its REST API endpoints to ensure proper authorization checks are in place.

Key Concerns

  • 2 REST API routes without permission callbacks
  • 2 currently unpatched medium severity CVEs
Vulnerabilities
2 published

Devs CRM – Manage tasks, attendance and teams all together Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-13092medium · 5.3Missing Authorization

Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Unauthenticated Information Expsoure

Dec 12, 2025Unpatched
CVE-2025-13093medium · 5.3Missing Authorization

Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Missing Authorization to Unauthenticated Lead Tag Update

Dec 12, 2025Unpatched
Version History

Devs CRM – Manage tasks, attendance and teams all together Release Timeline

v1.1.9Current2 CVEs
CVE-2025-13093 CVE-2025-13092
v1.1.82 CVEs
CVE-2025-13093 CVE-2025-13092
v1.1.72 CVEs
CVE-2025-13093 CVE-2025-13092
v1.1.62 CVEs
CVE-2025-13093 CVE-2025-13092
v1.1.52 CVEs
CVE-2025-13093 CVE-2025-13092
v1.1.42 CVEs
CVE-2025-13093 CVE-2025-13092
v1.1.32 CVEs
CVE-2025-13093 CVE-2025-13092
v1.1.22 CVEs
CVE-2025-13093 CVE-2025-13092
v1.1.12 CVEs
CVE-2025-13093 CVE-2025-13092
v1.1.02 CVEs
CVE-2025-13093 CVE-2025-13092
v1.0.92 CVEs
CVE-2025-13093 CVE-2025-13092
v1.0.82 CVEs
CVE-2025-13093 CVE-2025-13092
Code Analysis
Analyzed Apr 16, 2026

Devs CRM – Manage tasks, attendance and teams all together Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
121 prepared
Unescaped Output
0
250 escaped
Nonce Checks
23
Capability Checks
9
File Operations
2
External Requests
0
Bundled Libraries
1

Bundled Libraries

TinyMCE5.10.7

SQL Query Safety

100% prepared121 total queries

Output Escaping

100% escaped250 total outputs
Attack Surface
2 unprotected

Devs CRM – Manage tasks, attendance and teams all together Attack Surface

Entry Points56
Unprotected2

REST API Routes 54

POST/wp-json/devs-crm/v1/add-attendanceclasses/class-devcrm-attendance-create-routes.php:17
get/wp-json/devs-crm/v1/attendancesclasses/class-devcrm-attendance-create-routes.php:27
get/wp-json/devs-crm/v1/paginate-attendancesclasses/class-devcrm-attendance-create-routes.php:39
get/wp-json/devs-crm/v1/membersclasses/class-devcrm-attendance-create-routes.php:51
POST/wp-json/devs-crm/v1/check-in-outclasses/class-devcrm-attendance-create-routes.php:63
PUT/wp-json/devs-crm/v1/update-attendance/(?P<id>\d+)classes/class-devcrm-attendance-create-routes.php:73
DELETE/wp-json/devs-crm/v1/delete-attendanceclasses/class-devcrm-attendance-create-routes.php:83
POST/wp-json/devs-crm/v1/email-automationclasses/class-devcrm-email-automation-routes.php:12
GET/wp-json/devs-crm/v1/email-automationsclasses/class-devcrm-email-automation-routes.php:17
DELETE/wp-json/devs-crm/v1/email-automation/(?P<id>\d+)classes/class-devcrm-email-automation-routes.php:22
POST/wp-json/devs-crm/v1/email-campaignsclasses/class-devcrm-email-campaigns-routes.php:12
GET/wp-json/devs-crm/v1/email-campaignsclasses/class-devcrm-email-campaigns-routes.php:18
PUT/wp-json/devs-crm/v1/email-campaigns/(?P<id>\d+)classes/class-devcrm-email-campaigns-routes.php:24
POST/wp-json/devs-crm/v1/email-campaigns/(?P<id>\d+)/sendclasses/class-devcrm-email-campaigns-routes.php:30
GET/wp-json/devs-crm/v1/email-campaigns/(?P<id>\d+)classes/class-devcrm-email-campaigns-routes.php:36
DELETE/wp-json/devs-crm/v1/email-campaigns/(?P<id>\d+)classes/class-devcrm-email-campaigns-routes.php:42
POST/wp-json/devs-crm/v1/email-templateclasses/class-devcrm-email-campaigns-routes.php:48
GET/wp-json/devs-crm/v1/show-email-templatesclasses/class-devcrm-email-campaigns-routes.php:54
DELETE/wp-json/devs-crm/v1/delete-email-template/(?P<id>\d+)classes/class-devcrm-email-campaigns-routes.php:60
PUT/wp-json/devs-crm/v1/update-email-template/(?P<id>\d+)classes/class-devcrm-email-campaigns-routes.php:66
GET/wp-json/devs-crm/v1/campaign-details/(?P<id>\d+)classes/class-devcrm-email-campaigns-routes.php:72
GET/wp-json/devs-crm/v1/unsubscribeclasses/class-devcrm-email-campaigns-routes.php:78
POST/wp-json/devs-crm/v1/add-leadclasses/class-devcrm-leads-create-routes.php:18
GET/wp-json/devs-crm/v1/leadsclasses/class-devcrm-leads-create-routes.php:28
GET/wp-json/devs-crm/v1/paginate-leadsclasses/class-devcrm-leads-create-routes.php:40
DELETE/wp-json/devs-crm/v1/delete-leadclasses/class-devcrm-leads-create-routes.php:53
GET/wp-json/devs-crm/v1/lead/(?P<id>\d+)classes/class-devcrm-leads-create-routes.php:63
PUT/wp-json/devs-crm/v1/update-lead/(?P<id>\d+)classes/class-devcrm-leads-create-routes.php:74
PUT/wp-json/devs-crm/v1/bulk-updateclasses/class-devcrm-leads-create-routes.php:84
GET/wp-json/devs-crm/v1/export-leadsclasses/class-devcrm-leads-create-routes.php:96
POST/wp-json/devs-crm/v1/import-leadsclasses/class-devcrm-leads-create-routes.php:107
POST/wp-json/devs-crm/v1/add-memberclasses/class-devcrm-member-create-routes.php:18
get/wp-json/devs-crm/v1/usersclasses/class-devcrm-member-create-routes.php:28
get/wp-json/devs-crm/v1/membersclasses/class-devcrm-member-create-routes.php:40
GET/wp-json/devs-crm/v1/member/(?P<id>\d+)classes/class-devcrm-member-create-routes.php:52
PUT/wp-json/devs-crm/v1/update-member/(?P<id>\d+)classes/class-devcrm-member-create-routes.php:65
DELETE/wp-json/devs-crm/v1/delete-memberclasses/class-devcrm-member-create-routes.php:77
GET/wp-json/devs-crm/v1/get-rolesclasses/class-devcrm-member-create-routes.php:87
POST/wp-json/devs-crm/v1/add-commentclasses/class-devcrm-task-comment-create-routes.php:16
GET/wp-json/devs-crm/v1/commentsclasses/class-devcrm-task-comment-create-routes.php:26
POST/wp-json/devs-crm/v1/add-taskclasses/class-devcrm-task-create-routes.php:19
get/wp-json/devs-crm/v1/tasksclasses/class-devcrm-task-create-routes.php:29
get/wp-json/devs-crm/v1/task/(?P<id>\d+)classes/class-devcrm-task-create-routes.php:41
POST/wp-json/devs-crm/v1/taskclasses/class-devcrm-task-create-routes.php:53
DELETE/wp-json/devs-crm/v1/delete-taskclasses/class-devcrm-task-create-routes.php:63
POST/wp-json/devs-crm/v1/assign-taskclasses/class-devcrm-task-create-routes.php:73
get/wp-json/devs-crm/v1/status-priorclasses/class-devcrm-task-create-routes.php:83
POST/wp-json/devs-crm/v1/status-priorclasses/class-devcrm-task-create-routes.php:95
get/wp-json/devs-crm/v1/my-tasksclasses/class-devcrm-task-create-routes.php:105
POST/wp-json/devs-crm/v1/completeclasses/class-devcrm-task-create-routes.php:117
get/wp-json/devs-crm/v1/users-completed-taskclasses/class-devcrm-task-create-routes.php:127
get/wp-json/devs-crm/v1/task-trackerclasses/class-devcrm-task-create-routes.php:139
POST/wp-json/devs-crm/v1/save-task-trackerclasses/class-devcrm-task-create-routes.php:151
DELETE/wp-json/devs-crm/v1/delete-trackclasses/class-devcrm-task-create-routes.php:161

Shortcodes 2

[dcrm_members_checkin] DevsCrm.php:37
[dcrm_lead_form] DevsCrm.php:38
WordPress Hooks 17
actioninitDevsCrm.php:29
actionadmin_menuDevsCrm.php:31
actionadmin_enqueue_scriptsDevsCrm.php:32
actionwp_enqueue_scriptsDevsCrm.php:34
actionplugins_loadedDevsCrm.php:36
actionrest_api_initclasses/class-devcrm-attendance-create-routes.php:11
actiondevscrm_send_followup_emailclasses/class-devcrm-email-automation-cron-manager.php:8
actionrest_api_initclasses/class-devcrm-email-automation-routes.php:7
actiondevscrm_email_campaignclasses/class-devcrm-email-campaigns-cron-manager.php:8
actionrest_api_initclasses/class-devcrm-email-campaigns-routes.php:7
actionrest_api_initclasses/class-devcrm-leads-create-routes.php:11
actionrest_api_initclasses/class-devcrm-member-create-routes.php:12
actionrest_api_initclasses/class-devcrm-task-comment-create-routes.php:10
filterupload_dirclasses/class-devcrm-task-comment-create-routes.php:150
actionrest_api_initclasses/class-devcrm-task-create-routes.php:13
filterupload_dirclasses/class-devcrm-task-create-routes.php:434
actionadmin_noticesinc/devscrm-helpers.php:25

Scheduled Events 2

devscrm_campaign_followup_email
devscrm_email_campaign
Maintenance & Trust

Devs CRM – Manage tasks, attendance and teams all together Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedDec 24, 2025
PHP min version7.4.25
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Devs CRM – Manage tasks, attendance and teams all together Alternatives

Flamingo

Flamingo

flamingo

A
100

A trustworthy message storage plugin for Contact Form 7.

800K 1 CVE
HubSpot All-In-One Marketing – Forms, Popups, Live Chat

HubSpot All-In-One Marketing – Forms, Popups, Live Chat

leadin

A
95

The CRM, Sales, and Marketing WordPress plugin to grow your business better. Capture and engage web visitors with free live chat, forms, CRM, email ma &hellip;

200K 3 CVEs
FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

fluent-crm

A
96

The easiest and fastest Email Marketing, Newsletter, Marketing Automation Plugin & CRM Solution for WordPress

70K 3 CVEs
LeadConnector

LeadConnector

leadconnector

A
95

LeadConnector: It helps you to add the LeadConnector chat widget and the LeadConnector funnel pages to your WordPress website.

30K 4 CVEs
Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation

zero-bs-crm

A
89

The CRM for small businesses. Manage leads, invoicing, billing, email marketing, clients, contacts, quotes, automation. Works with WooCommerce too.

30K 8 CVEs
Developer Profile

Devs CRM – Manage tasks, attendance and teams all together Developer Profile

Devsbrain

3 plugins · 100 total installs

80
trust score
Avg Security Score
71/100
Avg Patch Time
4 days
View full developer profile
Detection Fingerprints

How We Detect Devs CRM – Manage tasks, attendance and teams all together

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/devs-crm/build/frontend.js/wp-content/plugins/devs-crm/build/index.css/wp-content/plugins/devs-crm/build/admin.js
Script Paths
wp-content/plugins/devs-crm/build/frontend.jswp-content/plugins/devs-crm/build/index.csswp-content/plugins/devs-crm/build/admin.js
Version Parameters
devs-crm/build/frontend.js?ver=devs-crm/build/index.css?ver=devs-crm/build/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
devscrm-wrapperdevs_crm_accountdevs_crm_admindcrm_shortcode_containerdcrm_lead_form_container
JS Globals
appLocalizer.apiUrlappLocalizer.nonceappLocalizer.pluginUrl
REST Endpoints
/wp-json/devs-crm/v1/add-attendance
Shortcode Output
<div class="devscrm-wrapper"><div id="dcrm_shortcode_container"></div></div><div class="devscrm-wrapper"><div id="dcrm_lead_form_container"></div></div>
FAQ

Frequently Asked Questions about Devs CRM – Manage tasks, attendance and teams all together