Critical Security Alert: Unauthenticated Password Reset Vulnerability in CRM Memberships Plugin (CVE-2025-13313)

Overview

A critical vulnerability, identified as CVE-2025-13313, has been discovered in the CRM Memberships plugin for WordPress. This flaw allows unauthenticated attackers to reset arbitrary user passwords, potentially leading to complete account takeover and unauthorized access to sensitive data. This vulnerability affects all versions up to and including version 2.5 of the plugin. Website administrators using the CRM Memberships plugin are strongly advised to take immediate action to mitigate this risk.

Technical Details

The vulnerability stems from missing authentication and authorization checks on the ntzcrm_changepassword AJAX action. An attacker can exploit this by sending a specially crafted request to the ntzcrm_changepassword endpoint, without needing to authenticate. Furthermore, the plugin exposes the ntzcrm_get_users endpoint without authentication. This allows attackers to enumerate user email addresses, a crucial step in exploiting the password reset vulnerability. The vulnerability exists because the plugin doesn’t verify if the request to reset a password is coming from the legitimate user or an authenticated administrator. The specific code locations contributing to this vulnerability are:

• ntzcrm_changepassword Action: class-ntzcrm-api.php#L795
• ntzcrm_get_users Endpoint: class-ntzcrm-api.php#L12
• ajax_crm_actions function initialization: ntzcrm-memberships.php#L42

CVSS Analysis

• CVE ID: CVE-2025-13313
• Severity: CRITICAL
• CVSS Score: 9.8

A CVSS score of 9.8 indicates a critical severity level. This means the vulnerability is highly exploitable, requires no user interaction, and can lead to significant impact, including complete system compromise.

Possible Impact

The successful exploitation of this vulnerability can have severe consequences:

• Account Takeover: Attackers can gain full control of user accounts, including administrator accounts.
• Data Breach: Unauthorized access to sensitive user data stored within the plugin and potentially the entire WordPress database.
• Website Defacement: Attackers can modify website content, inject malicious code, or completely deface the site.
• Malware Distribution: Compromised accounts can be used to distribute malware to website visitors.
• Reputational Damage: A successful attack can severely damage the website’s reputation and erode user trust.

Mitigation and Patch Steps

To mitigate this vulnerability, it is strongly recommended to take one of the following actions immediately:

1. Update the Plugin: Check for an updated version of the CRM Memberships plugin. If an update is available, install it immediately. Ensure the update addresses the security vulnerability outlined in CVE-2025-13313.
2. Remove the Plugin: If no update is available or if the plugin is no longer actively maintained, completely remove the CRM Memberships plugin from your WordPress installation. Consider alternative CRM plugins that are actively maintained and have a strong security record.
3. Temporary Mitigation (If Update/Removal Isn’t Immediately Possible – Proceed with Extreme Caution): If neither update nor removal is immediately possible, implement a temporary mitigation measure. This could involve adding custom code to your WordPress installation to restrict access to the vulnerable AJAX endpoints (ntzcrm_changepassword and potentially ntzcrm_get_users). However, this is not a substitute for a proper patch and may introduce new vulnerabilities. Consult with a security professional before attempting this.

References

• CVE-2025-13313 on NVD
• ntzcrm_get_users endpoint
• class-ntzcrm-api.php#L63
• ntzcrm_changepassword Action
• class-ntzcrm-dbquery.php#L287
• ntzcrm-memberships.php#L42
• Wordfence Threat Intelligence Report