CVE-2025-13313

CVE-2025-13313 is a privilege escalation vulnerability in the CRM Memberships plugin for WordPress, affecting all versions up to and including 2.6. The issue arises from missing authorization and authentication checks on the ntzcrm_changepassword AJAX action, which allows unauthenticated attackers to reset arbitrary user passwords provided they can obtain or enumerate a target user's email address. The plugin also exposes the ntzcrm_get_users endpoint without authentication, enabling attackers to enumerate subscriber email addresses and facilitate exploitation of the password reset flaw. It is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity and no user interaction or privileges required. The attack begins with querying the ntzcrm_get_users endpoint to enumerate subscriber email addresses, followed by sending a request to the ntzcrm_changepassword endpoint to reset the password of a targeted user account. Successful exploitation grants unauthorized access to the victim's WordPress account, potentially leading to full site compromise depending on the user's privileges.

The provided references link to source code locations in the CRM Memberships plugin version 2.5 on the WordPress plugin trac repository, specifically lines in class-ntzcrm-api.php (L12, L63, L795), class-ntzcrm-dbquery.php (L287), and ntzcrm-memberships.php (L42), which illustrate the lacking authentication checks and exposed endpoints. No explicit advisories or patch details are included in the available information.