CVE-2025-13312

MEDIUM 5.3

CRM Memberships <= 2.5 - Missing Authorization to Unauthenticated 'ntzcrm_add_new_tag' AJAX Action

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm_add_new_tag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags and modify CRM configuration that should be restricted to administrators.

CWE	CWE-862
Vendor	dripadmin
Product	crm memberships
Published	Dec 5, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for dripadmin crm memberships

Be the first to know when new medium vulnerabilities affecting dripadmin crm memberships are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

dripadmin / CRM Memberships

0 ≤ 2.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/f61b9de5-5c37-4efb-ad1c-006e9fc05bc2?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L828 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L14

Credits

Athiwat Tiprasaharn