EUVD-2026-14161
GHSA-wcm8-f742-j3xh
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.
Analysis
The Hr Press Lite WordPress plugin (versions up to 1.0.2) contains a missing capability check vulnerability in the hrp-fetch-employees AJAX action that allows authenticated attackers with Subscriber-level access to retrieve sensitive employee information including names, email addresses, phone numbers, salary data, employment dates, and employment status. This represents a clear privilege escalation and information disclosure flaw with a CVSS score of 6.5 (Medium severity, high confidentiality impact) affecting all versions of the plugin distributed through the WordPress plugin repository.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today