[ad_1]
Today, I’m publishing information about a vulnerability I found in the popular WordPress plugin FluentCRM by WPManageNinja. I responsibly disclosed the vulnerability according to Google Zero’s vulnerability disclosure policy. WPManageNinja has neither provided a patch within the 90-day window nor requested a time extension. I have therefor created a mitigation snippet you can add to your websites to prevent exploitation.
Full report (except for details about exploiting the vulnerability which I will withhold until WPManageNinja has published a patched version): https://github.com/karlemilnikka/CVE-2023-1430.
tl;dr Attackers can view and edit contact details in FluentCRM.