Attack Vectors

CRM Memberships (slug: crm-memberships) versions 2.6 and earlier contain a Critical vulnerability (CVSS 9.8, CVE: CVE-2025-13313) that can be exploited remotely over the internet. Based on the disclosed CVSS vector (AV:N/AC:L/PR:N/UI:N), attackers do not need an account, do not need user interaction, and can attempt exploitation at scale.

The primary entry point is an unauthenticated WordPress AJAX action, ntzcrm_changepassword, which allows an attacker to reset passwords for targeted users. The attacker must be able to obtain or guess a user’s email address; the disclosure also notes an unauthenticated endpoint, ntzcrm_get_users, that can enable user enumeration, making it easier to identify valid targets.

Security Weakness

This issue is caused by missing authorization and authentication checks on the ntzcrm_changepassword AJAX action in CRM Memberships. In practical terms, the password-reset function is exposed without enforcing that the requester is a legitimate, logged-in user who is allowed to change that specific account’s password.

Because the plugin also exposes ntzcrm_get_users without authentication (per the disclosure), the weakness can be compounded: attackers may be able to identify valid accounts and then immediately attempt password resets—turning what should be an internal, user-initiated workflow into an external attack surface.

For reference and ongoing updates, see the vendor write-up from Wordfence: Wordfence Threat Intel entry.

Technical or Business Impacts

Successful exploitation can lead directly to account takeover, including potential takeover of administrator accounts. With admin access, an attacker may change site settings, modify content, create new accounts, add backdoors, or redirect traffic—often without immediately obvious signs. Given the CVSS impact ratings (C:H/I:H/A:H), the outcome can include data exposure, site defacement, and service disruption.

For marketing and executive stakeholders, the business risk typically shows up as: loss of customer trust (visible site changes or malicious redirects), potential lead/form data exposure, reputational damage, downtime during incident response, and unplanned costs for forensics, legal/compliance review, and recovery. If the compromised WordPress instance supports campaigns, landing pages, or member portals, the impact can cascade into missed revenue and brand harm.

Recommended action: Update CRM Memberships to version 2.7 or newer (the patched release) as soon as possible. After patching, consider forcing password resets for privileged users, reviewing administrator accounts for unauthorized additions, and checking site content/settings for changes made during the exposure window.

Similar attacks (real examples): Critical WordPress plugin flaws have repeatedly been used for rapid site takeover at scale, such as CVE-2019-15866 (ThemeGrill Demo Importer) and CVE-2020-25213 (WP File Manager). While the technical details differ, the business outcome is often the same: unauthorized control of the website and the data and brand value attached to it.