REPORT / 01
Analysis Report · Folder Analysis cache/web-to-sugarcrm-lead_1.0.0 → cache/web-to-sugarcrm-lead_1.0.1 — CVE-2025-13361
Shared security patch analysis results
02 ·
Lifecycle actions
cancel · resume · skip · regenerate
03 ·
Share this analysis
copy link · embed report
03 ·
CVE Security Analysis & Writeups
ai-generated · per cve
Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
CVE-2025-13361
NVD
AI-Generated Analysis
05 ·
Findings
filter · search · paginate
Showing 0 to 0 of 0 results
wpscl-admin-functions.php
AI: 1 vulnerabilities
1 true positive
CVE-2025-13361
--- cache/web-to-sugarcrm-lead_1.0.0/wpscl-admin-functions.php 2025-12-21 09:36:10.477752822 +0000+++ cache/web-to-sugarcrm-lead_1.0.1/wpscl-admin-functions.php 2025-12-21 09:36:12.645887582 +0000@@ -496,15 +496,19 @@ function WPSCL_Custom_Field_Delete() { global $wpdb; - if (isset($_POST['pid'])) {- $pid = absint($_POST['pid']);- $where = array('pid' => $pid);- $delete = $wpdb->delete(WPSCL_TBL_MAP_FIELDS, $where);- if ($delete !==false) {- echo esc_html__('Field deleted successfully', 'WPSCL');- } else {- echo esc_html__('Error occured ! Please try again', 'WPSCL');- }+ check_ajax_referer('WPSCL', 'wpscl_nonce');++ if (!isset($_POST['pid'])) {+ wp_die(esc_html__('Invalid request.', 'WPSCL'), 'Error', array('back_link' => true));+ }++ $pid = absint($_POST['pid']);+ $where = array('pid' => $pid);+ $delete = $wpdb->delete(WPSCL_TBL_MAP_FIELDS, $where);+ if ($delete !==false) {+ echo esc_html__('Field deleted successfully', 'WPSCL');+ } else {+ echo esc_html__('Error occured ! Please try again', 'WPSCL'); } wp_die(); }@@ -765,4 +769,4 @@ } ## Test CRM connection - END-?>\ No newline at end of file+?>
AI Analysis
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Request Forgery (CSRF) - CWE-352 - wpscl-admin-functions.php Lines 499-515
Old Code:
```php
if (isset($_POST['pid'])) {
$pid = absint($_POST['pid']);
$where = array('pid' => $pid);
$delete = $wpdb->delete(WPSCL_TBL_MAP_FIELDS, $where);
if ($delete !==false) {
echo esc_html__('Field deleted successfully', 'WPSCL');
} else {
echo esc_html__('Error occured ! Please try again', 'WPSCL');
}
}
```
Fixed Code:
```php
check_ajax_referer('WPSCL', 'wpscl_nonce');
if (!isset($_POST['pid'])) {
wp_die(esc_html__('Invalid request.', 'WPSCL'), 'Error', array('back_link' => true));
}
$pid = absint($_POST['pid']);
$where = array('pid' => $pid);
$delete = $wpdb->delete(WPSCL_TBL_MAP_FIELDS, $where);
if ($delete !==false) {
echo esc_html__('Field deleted successfully', 'WPSCL');
} else {
echo esc_html__('Error occured ! Please try again', 'WPSCL');
}
```
Explanation:
The old code was vulnerable to CSRF attacks because it performed a destructive database operation (field deletion) without validating a nonce token. An attacker could craft a malicious request that, when visited by an authenticated admin, would delete arbitrary custom fields without the admin's explicit consent. The fix adds `check_ajax_referer('WPSCL', 'wpscl_nonce')` at the beginning of the function to verify a valid WordPress nonce token was provided with the request, preventing CSRF attacks. Additionally, the improved input validation with explicit error handling (wp_die) makes the request validation more robust.
CVE Analysis Results:
CVE-2025-13361: Yes
View CVE Description
The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Showing 1 to 1 of 1 results