CVE-2025-13313: CRM Memberships Plugin Privilege Escalation

CVE-2025-13313 Overview

The CRM Memberships plugin for WordPress contains a privilege escalation vulnerability affecting all versions up to and including 2.6. The flaw stems from missing authorization and authentication checks on the ntzcrm_changepassword AJAX action. Unauthenticated attackers can reset arbitrary user passwords and gain unauthorized access to any account, provided they know or can enumerate the target user's email address. The plugin compounds the risk by exposing the ntzcrm_get_users endpoint without authentication, which allows attackers to enumerate subscriber email addresses directly from the site. Combined, these two endpoints provide a complete account takeover chain against WordPress sites running the plugin.

Critical Impact

Unauthenticated attackers can take over arbitrary WordPress accounts, including administrators, by resetting passwords through an unprotected AJAX endpoint.

Affected Products

• CRM Memberships plugin for WordPress, versions through 2.6
• WordPress sites with the ntzcrm_changepassword AJAX action exposed
• WordPress sites with the ntzcrm_get_users AJAX action exposed

Discovery Timeline

• 2025-12-05 - CVE-2025-13313 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-13313

Vulnerability Analysis

The vulnerability is a Missing Authorization flaw [CWE-862] in the CRM Memberships plugin. The ntzcrm_changepassword AJAX action processes password change requests without verifying the identity of the requester. The handler does not check the WordPress nonce, does not confirm a valid session, and does not require the caller to demonstrate ownership of the target account through a reset token. As a result, any visitor can submit a request specifying an arbitrary email address and a new password, and the plugin will update the corresponding user's credentials.

The ntzcrm_get_users AJAX action exposes user records, including email addresses, without authentication. This eliminates the need for the attacker to guess email addresses through reconnaissance. The two flaws form a complete unauthenticated account takeover chain on any affected site.

Root Cause

The root cause is missing capability and nonce checks in the AJAX handlers registered by the plugin. WordPress exposes AJAX actions registered under wp_ajax_nopriv_* to unauthenticated callers, and the plugin attaches sensitive operations to these hooks without enforcing authorization at the function level.

Attack Vector

An unauthenticated attacker sends a POST request to /wp-admin/admin-ajax.php with the action set to ntzcrm_get_users to retrieve a list of registered users and their email addresses. The attacker then sends a second POST request with the action set to ntzcrm_changepassword, supplying the email address of a privileged account and a new password. The plugin updates the password without further validation, and the attacker logs in through wp-login.php with the new credentials.

No synthetic exploit code is reproduced here. For technical detail on the vulnerable handlers, refer to the WordPress CRM API Code and the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-13313

Indicators of Compromise

• POST requests to /wp-admin/admin-ajax.php with action=ntzcrm_changepassword originating from unauthenticated sessions.
• POST requests to /wp-admin/admin-ajax.php with action=ntzcrm_get_users returning user enumeration data.
• Unexpected password change events in WordPress audit logs for administrator or editor accounts.
• Successful logins from new IP addresses or geolocations shortly after a password reset event.

Detection Strategies

• Monitor web server access logs for requests to admin-ajax.php containing the ntzcrm_changepassword or ntzcrm_get_users action parameters.
• Alert on password change events that are not preceded by an authenticated session for the same user.
• Correlate user enumeration requests followed by password change requests from the same source IP within a short window.

Monitoring Recommendations

• Enable WordPress audit logging to record password resets, user metadata changes, and successful logins.
• Forward web server and WordPress logs to a centralized SIEM for correlation against authentication events.
• Track the user-agent and source IP distribution for admin-ajax.php traffic to identify scripted abuse.

How to Mitigate CVE-2025-13313

Immediate Actions Required

• Update the CRM Memberships plugin to a version above 2.6 once the vendor publishes a patched release.
• If no patched release is available, deactivate and remove the plugin from affected WordPress sites.
• Force a password reset for all users on sites that have run vulnerable versions of the plugin.
• Review administrator and editor accounts for unauthorized changes, new users, or modified roles.

Patch Information

A plugin update is tracked in the WordPress Plugin Changeset. Site administrators should apply the latest available version from the WordPress plugin repository and verify the version in the plugins dashboard after the update.

Workarounds

• Block requests to /wp-admin/admin-ajax.php containing the ntzcrm_changepassword or ntzcrm_get_users actions at the web application firewall.
• Restrict access to admin-ajax.php from untrusted networks where business requirements allow.
• Enforce multi-factor authentication on all administrator and editor accounts to limit the impact of password resets.

# Example WAF rule to block the vulnerable AJAX actions
# ModSecurity rule blocking unauthenticated password reset attempts
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
    "chain,id:1013313,phase:2,deny,status:403,msg:'CVE-2025-13313 CRM Memberships unauthenticated password reset'"
    SecRule ARGS:action "@rx ^(ntzcrm_changepassword|ntzcrm_get_users)$" "t:lowercase"