Skip to main content

WP ERP CVE-2026-13011

| EUVDEUVD-2026-42539 MEDIUM
SQL Injection (CWE-89)
2026-07-09 Wordfence GHSA-874f-wgfx-gr6c
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible endpoint requires authenticated HR Manager role (PR:L); read-only SQL injection path means no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:59 vuln.today
CVE Published
Jul 09, 2026 - 07:55 nvd
MEDIUM 6.5

DescriptionCVE.org

The ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.17.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the erp_list_employee capability, which is granted to HR Manager-level users and above within the WP ERP plugin.

AnalysisAI

SQL Injection in WP ERP (wedevs) versions through 1.17.5 allows authenticated HR Manager-level users to exfiltrate arbitrary data from the WordPress database via the unsanitized orderby parameter in the leave management module. The flaw resides in functions-leave.php and LeaveRequestsListTable.php, where user-supplied sort parameters are interpolated directly into SQL queries without escaping or prepared statements. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain HR Manager credentials via phishing or credential stuffing
Delivery
Authenticate to WordPress site with WP ERP active
Exploit
Submit crafted request with SQL payload in orderby parameter to leave management endpoint
Execution
Injected SQL clause executes in database context
Impact
Exfiltrate sensitive HR, payroll, or CRM records from response

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated WordPress session with the `erp_list_employee` capability, which WP ERP grants specifically to HR Manager-level users and above - this is a plugin-defined role, not a default WordPress role, and must be explicitly assigned by a site administrator. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects a network-reachable, low-complexity flaw, but the real-world risk is significantly bounded by the authentication requirement: exploitation demands a valid session with the `erp_list_employee` capability, granted only to HR Manager-level users or above within WP ERP - this is a non-default, plugin-specific role, not a standard WordPress capability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding (or having compromised) an HR Manager account sends a crafted GET or POST request to the WP ERP leave management list endpoint with a SQL payload injected into the `orderby` parameter - for example, appending a UNION SELECT statement to pivot from the leave table into the WordPress users or payroll tables. Because `functions-leave.php` interpolates this value directly into the SQL query without escaping, the injected clause executes and the results are returned in the HTTP response. …
Remediation Update WP ERP to the latest available version beyond 1.17.5 via the WordPress plugin dashboard; a fix has been committed to the upstream SVN repository per the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/208c8f55-14e0-47c4-b310-dd7b7edbadd4) and the changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3598905%40erp&new=3598905%40erp), though the exact patched release version is not independently confirmed in the available input data - verify the installed version against the Wordfence advisory after updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Erp

View all
CVE-2024-42565 CRITICAL POC
9.8 Aug 20

ERP commit 44bd04 was discovered to contain a SQL injection vulnerability via the id parameter at /index.php/basedata/co

CVE-2024-42563 CRITICAL POC
9.8 Aug 20

An arbitrary file upload vulnerability in ERP commit 44bd04 allows attackers to execute arbitrary code via uploading a c

CVE-2025-29390 HIGH POC
8.8 Apr 09

jerryhanjj ERP 1.0 is vulnerable to SQL Injection in the set_password function in application/controllers/home.php. Rate

CVE-2023-26762 HIGH POC
8.8 Feb 27

Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an arbitrary file upload vulnerability. Rated high severity (CVSS

CVE-2023-26759 HIGH POC
8.8 Feb 27

Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an OS command injection vulnerability via calls made to the XMSer

CVE-2022-3944 HIGH POC
8.8 Nov 11

A vulnerability was found in jerryhanjj ERP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2024-42564 HIGH POC
7.6 Aug 20

ERP commit 44bd04 was discovered to contain a SQL injection vulnerability via the id parameter at /index.php/basedata/in

CVE-2023-26760 HIGH POC
7.5 Feb 27

Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an information disclosure vulnerability via the /debug endpoint.

CVE-2023-26758 HIGH POC
7.5 Feb 27

Sme.UP TOKYO V6R1M220406 was discovered to contain an arbitrary file download vulnerabilty via the component /ResourceSe

CVE-2020-8967 CRITICAL
9.8 Jun 01

There is an improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in php file

CVE-2020-6188 HIGH
8.8 Feb 12

VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700,

CVE-2026-0505 MEDIUM
6.1 Feb 10

Unauthenticated attackers can manipulate unvalidated URL parameters in S4core, Document Management System, and ERP appli

Share

CVE-2026-13011 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy