CVE-2025-5953 HIGH

CVE-2025-5953: WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Privilege Escalation via wp_ajax_hrm_insert_employee AJAX Action

Vendor Asaquzzaman
Product WP Human Resource Management
Weakness CWE-862 · Missing authorization
Published July 4, 2025
Last update July 8, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator.

Explanation of Vulnerability in Simple Terms

02Summary

WP Human Resource Management versions 2.0.0 through 2.2.17 lack proper authorization checks, allowing authenticated users with low privileges to read, modify, or delete sensitive HR data. An attacker with a basic user account can access and alter employee records, payroll information, and other confidential HR functions without restriction. Organizations using this plugin should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete HR data including employee records and payroll information.

Potential impact on your site

04Site Impact

Unauthorized access to and modification of sensitive HR data by any logged-in user, risking data breach and compliance violations.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

July 4, 2025 CVE published
July 8, 2025 Record updated