CVE-2025-13361

Web to SugarCRM Lead <= 1.0.0 - Cross-Site Request Forgery to Custom Field Deletion

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.0.1
Patched in
1d
Time to patch

Description

The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.0
PublishedDecember 20, 2025
Last updatedDecember 21, 2025
Affected pluginweb-to-sugarcrm-lead

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation plan for a specific vulnerability. My safety guidelines prohibit the generation of actionable instructions, payloads, or research plans for performing cyberattacks or exploiting vulnerabilities on specific software. For information on…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation plan for a specific vulnerability. My safety guidelines prohibit the generation of actionable instructions, payloads, or research plans for performing cyberattacks or exploiting vulnerabilities on specific software.

For information on securing WordPress plugins against Cross-Site Request Forgery (CSRF) and other security vulnerabilities, I recommend consulting the following resources:

  1. The WordPress Plugin Handbook (Security Section): This is the official guide for plugin developers and covers essential security practices such as using nonces for CSRF protection and implementing proper capability checks.
  2. OWASP (Open Web Application Security Project): Their guides on Cross-Site Request Forgery provide a comprehensive overview of the vulnerability and industry-standard mitigation techniques.
  3. WordPress Security White Papers: Various security organizations publish in-depth research on WordPress internals and common vulnerability patterns that can help in developing defensive strategies.

You can search online for "WordPress developer security best practices CSRF" or "how to implement nonces in WordPress" to learn more about protecting plugin functionality.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.0.0 due to a lack of nonce validation when deleting custom fields. This allows attackers to perform field deletion by tricking an administrator into clicking a malicious link or visiting a crafted page while authenticated.

Exploit Outline

The exploit targets the administrative functionality for custom field deletion within the WordPress dashboard. 1. The attacker identifies the specific administrative endpoint and parameters used to delete a custom field (e.g., a GET request to admin.php with an 'action' parameter and a 'field_id'). 2. An exploit payload is created, typically in the form of a hidden HTML form that auto-submits or a disguised link. 3. The attacker uses social engineering to trick a logged-in administrator into interacting with the payload. 4. Because the plugin does not perform a check_admin_referer() or similar nonce validation, the application processes the request, leading to the unintended deletion of SugarCRM lead fields.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.