Skip to main content

Wp Human Resource Management

4 CVEs product

Monthly

CVE-2025-5956 MEDIUM This Month

The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $_POST['delete'] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators.

WordPress Authentication Bypass Wp Human Resource Management PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-5953 HIGH This Week

The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator.

WordPress Privilege Escalation Authentication Bypass Wp Human Resource Management PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2019-9574 HIGH This Week

The WP Human Resource Management plugin before 2.2.6 for WordPress does not ensure that a leave modification occurs in the context of the Administrator or HR Manager role. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Wp Human Resource Management
NVD
CVSS 3.0
7.5
EPSS
2.4%
CVE-2019-9573 HIGH This Week

The WP Human Resource Management plugin before 2.2.6 for WordPress mishandles leave applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Wp Human Resource Management
NVD
CVSS 3.0
7.5
EPSS
1.8%
EPSS 0% CVSS 6.5
MEDIUM This Month

The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $_POST['delete'] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators.

WordPress Authentication Bypass Wp Human Resource Management +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator.

WordPress Privilege Escalation Authentication Bypass +2
NVD
EPSS 2% CVSS 7.5
HIGH This Week

The WP Human Resource Management plugin before 2.2.6 for WordPress does not ensure that a leave modification occurs in the context of the Administrator or HR Manager role. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Wp Human Resource Management
NVD
EPSS 2% CVSS 7.5
HIGH This Week

The WP Human Resource Management plugin before 2.2.6 for WordPress mishandles leave applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Wp Human Resource Management
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy