CVE-2025-5956 MEDIUM

CVE-2025-5956: WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Arbitrary User Deletion via ajax_delete_employee Function

Vendor Asaquzzaman
Product WP Human Resource Management
Weakness CWE-862 · Missing authorization
Published July 4, 2025
Last update July 8, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $_POST['delete'] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators.

Explanation of Vulnerability in Simple Terms

02Summary

WP Human Resource Management versions 2.0.0 through 2.2.17 lack proper authorization checks, allowing authenticated users to modify data they should not have access to. An attacker with a low-privilege account can change records without the system verifying their permissions. This affects the integrity of HR data stored in the plugin.

What an attacker can do

03Attacker Capabilities

Modify HR records and data without proper authorization checks.

Potential impact on your site

04Site Impact

HR data integrity is at risk; unauthorized users can alter employee records, payroll, or other sensitive HR information.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the WordPress site.

Key dates

06Disclosure timeline

July 4, 2025 CVE published
July 8, 2025 Record updated