CVE-2025-7695
Published
CVSS v3
8.8
HIGH
CVSS v2
N/A
Affected
1
PROJECT
Description
The Dataverse Integration plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within its reset_password_link REST endpoint in versions 2.77 through 2.81. The endpoint’s handler accepts a client-supplied id, email, or login, looks up that user, and calls get_password_reset_key() unconditionally. Because it only checks that the caller is authenticated, and not that they own or may edit the target account, any authenticated attacker, with Subscriber-level access and above, can obtain a password reset link for an administrator and hijack that account.
<p>This plugin directly connects WordPress with Dataverse / Dynamics 365 / CRM, creating powerful portal solutions for your business.</p>
<p><a href="https://docs.microsoft.com/en-au/powerapps/maker/data-platform/data-platform-intro" rel="nofollow ugc">Dataverse</a> lets you securely store and manage data that’s used by business applications. Data from your Dynamics 365 applications is also stored in Dataverse allowing you to quickly build apps which leverage your Dynamics 365 data and extend your apps using Power Apps.</p>
<p>The plugin extends Microsoft Power Platform to WordPress and provides full access to the data. Written from ground-up, the plugin uses Web API to communicate with Dataverse.</p>
<h4>Features</h4>
<ul>
<li>100% Web API-based – future-proof investment.</li>
<li>Secure server-to-server authentication. No more usernames or passwords.</li>
<li>Create custom forms in WordPress and map them to Dataverse tables and columns for create or update operations. Write data from the forms directly to Dataverse / Dynamics 365.</li>
<li>Collect leads, contact requests, support queries and much more without any coding.</li>
<li>Query Dataverse / Dynamics 365 records using FetchXML language. Give your customers direct access to product catalogs, event lists, knowledge base articles.</li>
<li>Create custom layouts for Dataverse / Dynamics 365 data using powerful and flexible <a href="https://twig.symfony.com/" rel="nofollow ugc">Twig template engine</a>. Display data directly from Dataverse / Dynamics 365 without any coding.</li>
<li>Bind WordPress posts and pages to Dataverse / Dynamics 365 records. Build a customized record view in WordPress like product information sheets, event details, or customer profiles.</li>
<li>Extensible through WordPress <a href="https://codex.wordpress.org/Plugin_API" rel="nofollow ugc">actions and filters</a>.</li>
</ul>
<h4>Requirements</h4>
<p>This plugin requires PHP 8.2 or greater. cURL and intl extensions are required as well.</p>
<h4>Documentation</h4>
<p>Plugin documentation is available at <a href="https://docs.alexacrm.com/" rel="nofollow ugc">docs.alexacrm.com/</a>.</p>
<h4>Disclaimer</h4>
<p>For this plugin to work, access to a working Dataverse or Dynamics 365 instance is required. Please, do not raise issues related to that. If you are curious to try, you can always sign up for a free trial of <a href="https://learn.microsoft.com/power-apps/maker/signup-for-powerapps" rel="nofollow ugc">Power Apps</a> or <a href="https://www.microsoft.com/dynamics-365/free-trial" rel="nofollow ugc">Dynamics 365</a>. To explore full plugin capabilities including premium features we recommend using a <a href="https://learn.microsoft.com/power-platform/developer/create-developer-environment" rel="nofollow ugc">Dataverse developer environment</a>.</p>
WordPress Plugin Directory