WordPress
CVE-2025-69022
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HR Management Lite: from n/a through <= 3.6.
AnalysisAI
HR Management Lite WordPress plugin versions 3.6 and earlier contain a missing authorization vulnerability allowing authenticated users to access or modify resources without proper access control checks. An attacker with low-privilege user credentials can exploit incorrectly configured access control to read or modify sensitive data within the plugin's functionality, though the vulnerability requires prior authentication and does not enable privilege escalation or system-wide impact.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a common weakness in access control implementations where an application fails to verify that a user is authorized to perform requested actions. In the context of the HR Management Lite WordPress plugin, the access control security levels are configured incorrectly, allowing authenticated users (PR:L in CVSS vector) to bypass intended authorization restrictions. The plugin likely implements role-based or capability-based access controls that are either missing from certain endpoints or improperly validated, permitting lateral movement between user contexts or unauthorized access to HR management features. This affects the WordPress plugin ecosystem, where improper capability checks in admin AJAX handlers or REST API endpoints are a common implementation gap.
Affected ProductsAI
Weblizar HR Management Lite WordPress plugin is affected in version 3.6 and all earlier versions (from version 1.0 through 3.6). The plugin is distributed through the official WordPress.org plugin repository and available via CPE:2.3:a:weblizar:hr_management_lite:*:*:*:*:*:wordpress:*:*. The vulnerability was reported by the Patchstack security research team through their WordPress plugin vulnerability database.
RemediationAI
Update the HR Management Lite plugin to a version greater than 3.6 as soon as a patched release becomes available from Weblizar or the WordPress.org plugin repository. Administrators should check the plugin's update mechanism within the WordPress dashboard or visit the official plugin page at https://patchstack.com/database/Wordpress/Plugin/hr-management-lite/vulnerability/wordpress-hr-management-lite-plugin-3-5-broken-access-control-vulnerability?_s_id=cve for patch availability confirmation. As an interim workaround, restrict user role assignments to trusted administrators only and disable the HR Management Lite plugin entirely if it is not actively in use. WordPress site administrators should audit user accounts with elevated roles and verify access logs for unauthorized data access attempts prior to patching.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today