Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible endpoint requires authenticated HR Manager role (PR:L); read-only SQL injection path means no integrity or availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.17.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the erp_list_employee capability, which is granted to HR Manager-level users and above within the WP ERP plugin.
AnalysisAI
SQL Injection in WP ERP (wedevs) versions through 1.17.5 allows authenticated HR Manager-level users to exfiltrate arbitrary data from the WordPress database via the unsanitized orderby parameter in the leave management module. The flaw resides in functions-leave.php and LeaveRequestsListTable.php, where user-supplied sort parameters are interpolated directly into SQL queries without escaping or prepared statements. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active, authenticated WordPress session with the `erp_list_employee` capability, which WP ERP grants specifically to HR Manager-level users and above - this is a plugin-defined role, not a default WordPress role, and must be explicitly assigned by a site administrator. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects a network-reachable, low-complexity flaw, but the real-world risk is significantly bounded by the authentication requirement: exploitation demands a valid session with the `erp_list_employee` capability, granted only to HR Manager-level users or above within WP ERP - this is a non-default, plugin-specific role, not a standard WordPress capability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding (or having compromised) an HR Manager account sends a crafted GET or POST request to the WP ERP leave management list endpoint with a SQL payload injected into the `orderby` parameter - for example, appending a UNION SELECT statement to pivot from the leave table into the WordPress users or payroll tables. Because `functions-leave.php` interpolates this value directly into the SQL query without escaping, the injected clause executes and the results are returned in the HTTP response. … |
| Remediation | Update WP ERP to the latest available version beyond 1.17.5 via the WordPress plugin dashboard; a fix has been committed to the upstream SVN repository per the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/208c8f55-14e0-47c4-b310-dd7b7edbadd4) and the changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3598905%40erp&new=3598905%40erp), though the exact patched release version is not independently confirmed in the available input data - verify the installed version against the Wordfence advisory after updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
ERP commit 44bd04 was discovered to contain a SQL injection vulnerability via the id parameter at /index.php/basedata/co
An arbitrary file upload vulnerability in ERP commit 44bd04 allows attackers to execute arbitrary code via uploading a c
jerryhanjj ERP 1.0 is vulnerable to SQL Injection in the set_password function in application/controllers/home.php. Rate
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an arbitrary file upload vulnerability. Rated high severity (CVSS
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an OS command injection vulnerability via calls made to the XMSer
A vulnerability was found in jerryhanjj ERP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
ERP commit 44bd04 was discovered to contain a SQL injection vulnerability via the id parameter at /index.php/basedata/in
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an information disclosure vulnerability via the /debug endpoint.
Sme.UP TOKYO V6R1M220406 was discovered to contain an arbitrary file download vulnerabilty via the component /ResourceSe
There is an improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in php file
VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700,
Unauthenticated attackers can manipulate unvalidated URL parameters in S4core, Document Management System, and ERP appli
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42539
GHSA-874f-wgfx-gr6c