Analysis Report Folder Analysis cache/web-to-sugarcrm-lead_1.0.0 → cache/web-to-sugarcrm-lead_1.0.1 - CVE-2025-13361

Shared security patch analysis results

AI Used: claude_cli haiku
Share this analysis
CVE Security Analysis & Writeups

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-13361
AI-Generated Analysis
Use quotes for exact: \"SQL injection\" | Operators: hello AND bye, admin OR root, -error, NOT warning
Showing 0 to 0 of 0 results
wpscl-admin-functions.php AI: 1 vulnerabilities 1 true positive CVE-2025-13361 
--- cache/web-to-sugarcrm-lead_1.0.0/wpscl-admin-functions.php	2025-12-21 09:36:10.477752822 +0000+++ cache/web-to-sugarcrm-lead_1.0.1/wpscl-admin-functions.php	2025-12-21 09:36:12.645887582 +0000@@ -496,15 +496,19 @@ function WPSCL_Custom_Field_Delete() { 	global $wpdb; -	if (isset($_POST['pid'])) {-		$pid = absint($_POST['pid']);-		$where = array('pid' => $pid);-		$delete = $wpdb->delete(WPSCL_TBL_MAP_FIELDS, $where);-		if ($delete !==false) {-			echo esc_html__('Field deleted successfully', 'WPSCL');-		} else {-			echo esc_html__('Error occured ! Please try again', 'WPSCL');-		}+	check_ajax_referer('WPSCL', 'wpscl_nonce');++	if (!isset($_POST['pid'])) {+		wp_die(esc_html__('Invalid request.', 'WPSCL'), 'Error', array('back_link' => true));+	}++	$pid = absint($_POST['pid']);+	$where = array('pid' => $pid);+	$delete = $wpdb->delete(WPSCL_TBL_MAP_FIELDS, $where);+	if ($delete !==false) {+		echo esc_html__('Field deleted successfully', 'WPSCL');+	} else {+		echo esc_html__('Error occured ! Please try again', 'WPSCL'); 	} 	wp_die(); }@@ -765,4 +769,4 @@ }  ## Test CRM connection - END-?>\ No newline at end of file+?>
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Request Forgery (CSRF) - CWE-352 - wpscl-admin-functions.php Lines 499-515

Old Code:
```php
if (isset($_POST['pid'])) {
    $pid = absint($_POST['pid']);
    $where = array('pid' => $pid);
    $delete = $wpdb->delete(WPSCL_TBL_MAP_FIELDS, $where);
    if ($delete !==false) {
        echo esc_html__('Field deleted successfully', 'WPSCL');
    } else {
        echo esc_html__('Error occured ! Please try again', 'WPSCL');
    }
}
```

Fixed Code:
```php
check_ajax_referer('WPSCL', 'wpscl_nonce');

if (!isset($_POST['pid'])) {
    wp_die(esc_html__('Invalid request.', 'WPSCL'), 'Error', array('back_link' => true));
}

$pid = absint($_POST['pid']);
$where = array('pid' => $pid);
$delete = $wpdb->delete(WPSCL_TBL_MAP_FIELDS, $where);
if ($delete !==false) {
    echo esc_html__('Field deleted successfully', 'WPSCL');
} else {
    echo esc_html__('Error occured ! Please try again', 'WPSCL');
}
```

Explanation:
The old code was vulnerable to CSRF attacks because it performed a destructive database operation (field deletion) without validating a nonce token. An attacker could craft a malicious request that, when visited by an authenticated admin, would delete arbitrary custom fields without the admin's explicit consent. The fix adds `check_ajax_referer('WPSCL', 'wpscl_nonce')` at the beginning of the function to verify a valid WordPress nonce token was provided with the request, preventing CSRF attacks. Additionally, the improved input validation with explicit error handling (wp_die) makes the request validation more robust.
CVE Analysis Results:
CVE-2025-13361: Yes
View CVE Description 
The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
wpscl.php AI: No vulnerabilities 
--- cache/web-to-sugarcrm-lead_1.0.0/wpscl.php	2025-12-21 09:36:10.477752822 +0000+++ cache/web-to-sugarcrm-lead_1.0.1/wpscl.php	2025-12-21 09:36:12.645887582 +0000@@ -3,7 +3,7 @@ Plugin Name: Web to SugarCRM Lead Plugin URI: https://offshoreevolution.com/ Description: This plugin will provide a Widget Form anywhere you want for easy,fast & hassle-free SugarCRM Leads.-Version: 1.0.0+Version: 1.0.1 Author: Offshore Evolution Pvt Ltd Author URI: https://profiles.wordpress.org/dipesh_patel/ License: GPLv2 or later
AI Analysis
```
Vulnerability Existed: no
No Security Vulnerabilities Detected - [N/A] - wpscl.php [1-10]

Old Code:
Version: 1.0.0

Fixed Code:
Version: 1.0.1

Explanation:
This diff only contains a version number bump from 1.0.0 to 1.0.1 in the plugin header comment. There are no code changes, logic modifications, input validation improvements, or security-related fixes. This is a metadata-only change and does not address, introduce, or modify any security-related functionality. No vulnerabilities are present in this change.
```
CVE Analysis Results:
CVE-2025-13361: No
View CVE Description 
The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.