WordPress
Multiple Products
The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.5. This is d...
2025-12-06
Description
The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.5. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user's email address. The plugin also exposes the `ntzcrm_get_users` endpoint without authentication, allowing attackers to enumerate subscriber email addresses, facilitating the exploitation of the password reset vulnerability.
AI Analyst Comment
Remediation
Update The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Executive Summary:
A high-severity SQL injection vulnerability has been identified in Prem's Digi On-Prem Manager. An attacker who has obtained a valid API token can exploit this flaw to execute malicious commands on the underlying database, potentially leading to unauthorized data access, modification, or a complete system compromise. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this significant risk.
Vulnerability Details
CVE-ID: CVE-2025-13319
Affected Software: Prem Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This is a SQL injection vulnerability within the API feature of the Digi On-Prem Manager. The application fails to properly sanitize user-supplied input before using it in SQL queries. An attacker with a valid API token can submit a specially crafted API request containing malicious SQL syntax. This input is then executed by the back-end database, allowing the attacker to bypass security controls and interact directly with the database.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could have a severe impact on the business, leading to a major data breach. Potential consequences include the theft of sensitive corporate or customer data, unauthorized modification or deletion of critical information, and potential for further system compromise if the database user has elevated privileges. Such an incident could result in significant financial loss, reputational damage, regulatory fines, and disruption of business operations.
Remediation Plan
Immediate Action: Apply vendor security updates immediately across all affected instances of the software. After patching, review API and database access logs for any signs of suspicious activity or exploitation attempts that may have occurred prior to remediation.
Proactive Monitoring: Implement continuous monitoring of API endpoints. Specifically, look for unusual or malformed SQL queries in application and database logs. Monitor network traffic for anomalous patterns targeting the API, and configure alerts for repeated failed API authentication attempts or queries that generate database errors.
Compensating Controls: If immediate patching is not feasible, implement the following controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of November 17, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, the technical details are straightforward, and proof-of-concept exploits could be developed quickly. Exploitation requires a valid API token, which means the primary threat comes from attackers who have compromised credentials or from malicious insiders.
Analyst Recommendation
Due to the high severity (CVSS 8.8) and the potential for complete data compromise, it is our strong recommendation that organizations prioritize the immediate patching of this vulnerability. While this vulnerability is not currently listed on the CISA KEV catalog, its high impact potential warrants immediate attention. If patching is delayed, the compensating controls listed above should be implemented without delay to reduce the attack surface. Furthermore, a comprehensive audit of API token security and access management policies is highly advised.