Skip to main content

Employee Leave And Recruitment Management System Crew Hrm

1 CVEs product

Monthly

CVE-2026-9237 MEDIUM This Month

Authorization bypass in the Crew HRM WordPress plugin (all versions ≤ 1.2.2) allows any authenticated subscriber-level user to delete, archive, unarchive, and duplicate arbitrary job listings - including associated stages, metadata, addresses, and applications - by supplying an arbitrary integer job_id. The nonce that nominally gates these actions via Dispatcher::dispatch() is deliberately exposed to every authenticated frontend visitor through wp_head script localization, making the bypass trivially reproducible by any user with a WordPress account. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists; however, the nonce leak collapses the practical access barrier to subscriber level.

Authentication Bypass WordPress Employee Leave And Recruitment Management System Crew Hrm
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Crew HRM WordPress plugin (all versions ≤ 1.2.2) allows any authenticated subscriber-level user to delete, archive, unarchive, and duplicate arbitrary job listings - including associated stages, metadata, addresses, and applications - by supplying an arbitrary integer job_id. The nonce that nominally gates these actions via Dispatcher::dispatch() is deliberately exposed to every authenticated frontend visitor through wp_head script localization, making the bypass trivially reproducible by any user with a WordPress account. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists; however, the nonce leak collapses the practical access barrier to subscriber level.

Authentication Bypass WordPress Employee Leave And Recruitment Management System Crew Hrm
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy