Skip to main content

Crew HRM CVE-2026-9237

| EUVDEUVD-2026-42566 MEDIUM
Missing Authorization (CWE-862)
2026-07-09 Wordfence GHSA-qjph-9jxc-9pcm
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-based attack requiring subscriber auth only; nonce leak removes AC complexity; impact confined to job listing integrity with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 11:56 vuln.today
CVE Published
Jul 09, 2026 - 09:31 nvd
MEDIUM 4.3

DescriptionCVE.org

The Employee, Leave and Recruitment Management System - Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete, archive, unarchive, and duplicate arbitrary job listings - along with their associated stages, meta, addresses, and applications - by supplying an arbitrary integer job_id. The nonce verified by Dispatcher::dispatch() is exposed to all authenticated front-end visitors via wp_head script localization, meaning subscribers can trivially obtain it and satisfy the nonce check without possessing any elevated privilege.

AnalysisAI

Authorization bypass in the Crew HRM WordPress plugin (all versions ≤ 1.2.2) allows any authenticated subscriber-level user to delete, archive, unarchive, and duplicate arbitrary job listings - including associated stages, metadata, addresses, and applications - by supplying an arbitrary integer job_id. The nonce that nominally gates these actions via Dispatcher::dispatch() is deliberately exposed to every authenticated frontend visitor through wp_head script localization, making the bypass trivially reproducible by any user with a WordPress account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress subscriber
Delivery
Load any frontend page
Exploit
Extract nonce from wp_head script output
Execution
Send crafted dispatch request with arbitrary job_id
Impact
Delete, archive, or duplicate target job listing and associated application data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account at subscriber level or above on the target site - anonymous unauthenticated access is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) is consistent with the described behavior: the attack is network-accessible, requires no complex preconditions, and is limited to low-privilege authenticated access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing WordPress subscriber account on a site running Crew HRM ≤ 1.2.2, loads any frontend page, and parses the nonce value from the wp_head-injected JavaScript. The attacker then sends a crafted POST request to Dispatcher::dispatch() with the extracted nonce and an arbitrary job_id integer, triggering job deletion or archival without any authorization check blocking the action. …
Remediation Upstream fix available (patch changeset 3556031 on WordPress Plugin Trac); a specific released patched version number is not independently confirmed from the provided data - administrators should check the WordPress plugin repository for a version beyond 1.2.2 and upgrade immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy