Skip to main content

Zoho CRM Plugin CVE-2025-5017

| EUVDEUVD-2025-210456 MEDIUM
SQL Injection (CWE-89)
2026-07-11 Wordfence GHSA-8622-4f89-rc6w
4.9
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

PR:H confirmed by Administrator credential requirement; AV:N reflects web-accessible WordPress endpoint; C:H for full database read; I:N and A:N as injection is read-only.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 07:10 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
MEDIUM 4.9

DescriptionCVE.org

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

Time-based blind SQL injection in the Catalyst Connect Zoho CRM Client Portal WordPress plugin (all versions ≤ 2.2.0) enables authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database via the unsanitized 'uid' parameter. The CVSS vector (PR:H) confirms exploitation requires administrator-level credentials, meaningfully constraining the attack surface. A public proof-of-concept is available on GitHub (BFS-Lab/BFSDV), and no confirmed patch version has been identified in available intelligence at time of analysis.

Technical ContextAI

The affected product is the Catalyst Connect Zoho CRM Client Portal WordPress plugin (CPE: cpe:2.3:a:catalyst2020:catalyst_connect_zoho_crm_client_portal:*:*:*:*:*:*:*:*), which bridges WordPress sites with Zoho CRM to deliver a customer-facing portal experience. The root cause is CWE-89 (Improper Neutralization of Special Elements in SQL Commands): the 'uid' parameter is passed directly into an existing SQL query without adequate escaping or parameterization via prepared statements. The time-based blind variant means the injected payload manipulates database execution timing (e.g., SLEEP or BENCHMARK functions) rather than returning data directly in the response, requiring the attacker to infer database contents from observable latency differences. This technique is slower and noisier than union- or error-based injection but does not require error output visibility, making it viable against hardened configurations.

RemediationAI

No vendor-released patched version has been identified in any available source at time of analysis - the WordPress.org plugin page (https://wordpress.org/plugins/catalyst-connect-client-portal/) and the Wordfence vulnerability advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/37ce28de-f41d-42f8-8467-0af5e643a739) should be monitored for an updated release. The most effective immediate mitigation is to deactivate and remove the plugin if the Zoho CRM client portal functionality is non-critical, eliminating the attack surface entirely. If the plugin must remain active, restrict WordPress admin panel access to known trusted IP addresses using server-level firewall rules or a security plugin with IP allowlisting - this directly counters the PR:H requirement by preventing unauthorized sessions from reaching the vulnerable parameter. Additionally, audit all administrator-level WordPress accounts, enforce strong unique passwords, and enable multi-factor authentication to reduce risk of credential compromise that would enable exploitation. Note that IP restriction may break legitimate remote admin workflows and should be coordinated with site administrators.

More in Zoho

View all
CVE-2016-6600 CRITICAL POC
9.8 Jan 23

Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remot

CVE-2015-8249 CRITICAL POC
9.8 Sep 28

The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and e

CVE-2014-5005 HIGH POC
7.5 Oct 21

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers

CVE-2015-7765 CRITICAL POC
9.0 Oct 09

ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser a

CVE-2015-7766 CRITICAL POC
9.0 Oct 09

PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL q

CVE-2014-6037 HIGH POC
7.5 Oct 26

Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8

CVE-2015-7387 HIGH POC
7.5 Sep 28

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions

CVE-2016-6601 HIGH POC
7.5 Jan 23

Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows rem

CVE-2014-6034 MEDIUM POC
5.0 Dec 04

Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in Z

CVE-2014-3996 HIGH POC
7.5 Dec 05

SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central

CVE-2017-11512 HIGH POC
7.5 Nov 08

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the path

CVE-2014-7866 HIGH POC
7.5 Dec 10

Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and

Share

CVE-2025-5017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy