Skip to main content

Crew HRM CVE-2026-27351

| EUVDEUVD-2026-33931 MEDIUM
Missing Authorization (CWE-862)
2026-06-02 audit@patchstack.com GHSA-wq78-vxp9-qcff
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 14:36 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Sekander Badsha Crew HRM allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Crew HRM: from n/a through 1.2.2.

AnalysisAI

Broken access control in the Crew HRM WordPress plugin (versions through 1.2.2) permits authenticated low-privileged users to invoke plugin functionality beyond their intended authorization level, resulting in limited unauthorized data modification and availability impact. The flaw, rooted in CWE-862 Missing Authorization, means the plugin fails to validate whether the requesting user holds the required WordPress capability before executing sensitive operations. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

Crew HRM is a WordPress HR management plugin developed by Sekander Badsha. WordPress plugins are expected to gate sensitive operations using capability checks such as current_user_can() or equivalent nonce/role validation. CWE-862 (Missing Authorization) describes the failure to perform any authorization check at all on a security-sensitive action - distinct from CWE-863 (Incorrect Authorization), which implies a check exists but is misconfigured. In this case, one or more plugin endpoints or AJAX handlers expose HR-related actions without verifying that the authenticated requester holds an appropriate role or capability. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms the flaw is reachable over the network with no user interaction required, but does require at least a low-privileged authenticated session, consistent with WordPress subscriber- or employee-level access.

RemediationAI

Sites running Crew HRM should update to a version beyond 1.2.2 as soon as a patched release is made available by the developer; no specific fixed version number is confirmed from the available data, and the upstream patch status should be verified via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/hr-management/vulnerability/wordpress-crew-hrm-plugin-1-2-2-broken-access-control-vulnerability. As a compensating control pending an official patch, administrators should audit which WordPress user roles have been granted access to the site and revoke any low-privilege accounts held by untrusted users, since the vulnerability requires at minimum a low-privileged authenticated session (PR:L). Additionally, a web application firewall (WAF) with WordPress-aware rulesets - such as the Patchstack firewall or Wordfence - can be configured to virtual-patch this class of broken access control issues by blocking unauthorized AJAX or REST API requests to the plugin's endpoints. Note that WAF virtual patching requires correct rule configuration and does not substitute for an official code fix.

Share

CVE-2026-27351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy