How to fix CVE-2025-13313?

Within 24 hours: Identify all WordPress instances using CRM Memberships plugin and document affected versions; disable the plugin if business-critical functionality permits. Within 7 days: Contact vendor for timeline to patch availability; implement temporary mitigations (see compensating controls); audit access logs for exploitation attempts. Within 30 days: Apply vendor patch immediately upon release; conduct password reset audit for all user accounts; review CRM access logs for unauthorized activity.

Is WordPress affected by CVE-2025-13313?

An unauthenticated attacker can reset passwords for any user account on WordPress sites running the CRM Memberships plugin (versions up to 2.5), enabling full account takeover.

CVE-2025-13313

EUVD-2025-201340 CRITICAL

2025-12-05 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201340

CVE Published

Dec 05, 2025 - 05:16 nvd

CRITICAL 9.8

Description

The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.5. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user's email address. The plugin also exposes the `ntzcrm_get_users` endpoint without authentication, allowing attackers to enumerate subscriber email addresses, facilitating the exploitation of the password reset vulnerability.

Analysis

The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.5. This is due to missing authorization and authentication checks on the ntzcrm_changepassword AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the ntzcrm_changepassword endpoint, granted they can obtain or enumerate a target user's email address. The plugin also exposes the ntzcrm_get_users endpoint without authentication, allowing attackers to enumerate subscriber email addresses, facilitating the exploitation of the password reset vulnerability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +49

POC: 0

CVE-2025-13313 vulnerability details – vuln.today

Back

CVE-2025-13313

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Priority Score

Share

CVE-2025-13313

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Priority Score

Share

External POC / Exploit Code