Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Sekander Badsha Crew HRM allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Crew HRM: from n/a through 1.2.2.
AnalysisAI
Broken access control in the Crew HRM WordPress plugin (versions through 1.2.2) permits authenticated low-privileged users to invoke plugin functionality beyond their intended authorization level, resulting in limited unauthorized data modification and availability impact. The flaw, rooted in CWE-862 Missing Authorization, means the plugin fails to validate whether the requesting user holds the required WordPress capability before executing sensitive operations. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
Crew HRM is a WordPress HR management plugin developed by Sekander Badsha. WordPress plugins are expected to gate sensitive operations using capability checks such as current_user_can() or equivalent nonce/role validation. CWE-862 (Missing Authorization) describes the failure to perform any authorization check at all on a security-sensitive action - distinct from CWE-863 (Incorrect Authorization), which implies a check exists but is misconfigured. In this case, one or more plugin endpoints or AJAX handlers expose HR-related actions without verifying that the authenticated requester holds an appropriate role or capability. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) confirms the flaw is reachable over the network with no user interaction required, but does require at least a low-privileged authenticated session, consistent with WordPress subscriber- or employee-level access.
RemediationAI
Sites running Crew HRM should update to a version beyond 1.2.2 as soon as a patched release is made available by the developer; no specific fixed version number is confirmed from the available data, and the upstream patch status should be verified via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/hr-management/vulnerability/wordpress-crew-hrm-plugin-1-2-2-broken-access-control-vulnerability. As a compensating control pending an official patch, administrators should audit which WordPress user roles have been granted access to the site and revoke any low-privilege accounts held by untrusted users, since the vulnerability requires at minimum a low-privileged authenticated session (PR:L). Additionally, a web application firewall (WAF) with WordPress-aware rulesets - such as the Patchstack firewall or Wordfence - can be configured to virtual-patch this class of broken access control issues by blocking unauthorized AJAX or REST API requests to the plugin's endpoints. Note that WAF virtual patching requires correct rule configuration and does not substitute for an official code fix.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33931
GHSA-wq78-vxp9-qcff