Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-based attack requiring subscriber auth only; nonce leak removes AC complexity; impact confined to job listing integrity with no confidentiality or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Employee, Leave and Recruitment Management System - Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete, archive, unarchive, and duplicate arbitrary job listings - along with their associated stages, meta, addresses, and applications - by supplying an arbitrary integer job_id. The nonce verified by Dispatcher::dispatch() is exposed to all authenticated front-end visitors via wp_head script localization, meaning subscribers can trivially obtain it and satisfy the nonce check without possessing any elevated privilege.
AnalysisAI
Authorization bypass in the Crew HRM WordPress plugin (all versions ≤ 1.2.2) allows any authenticated subscriber-level user to delete, archive, unarchive, and duplicate arbitrary job listings - including associated stages, metadata, addresses, and applications - by supplying an arbitrary integer job_id. The nonce that nominally gates these actions via Dispatcher::dispatch() is deliberately exposed to every authenticated frontend visitor through wp_head script localization, making the bypass trivially reproducible by any user with a WordPress account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account at subscriber level or above on the target site - anonymous unauthenticated access is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) is consistent with the described behavior: the attack is network-accessible, requires no complex preconditions, and is limited to low-privilege authenticated access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or uses an existing WordPress subscriber account on a site running Crew HRM ≤ 1.2.2, loads any frontend page, and parses the nonce value from the wp_head-injected JavaScript. The attacker then sends a crafted POST request to Dispatcher::dispatch() with the extracted nonce and an arbitrary job_id integer, triggering job deletion or archival without any authorization check blocking the action. … |
| Remediation | Upstream fix available (patch changeset 3556031 on WordPress Plugin Trac); a specific released patched version number is not independently confirmed from the provided data - administrators should check the WordPress plugin repository for a version beyond 1.2.2 and upgrade immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42566
GHSA-qjph-9jxc-9pcm