What the vulnerability does
01Description
The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $_POST['delete'] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators.
Explanation of Vulnerability in Simple Terms
02Summary
WP Human Resource Management versions 2.0.0 through 2.2.17 lack proper authorization checks, allowing authenticated users to modify data they should not have access to. An attacker with a low-privilege account can change records without the system verifying their permissions. This affects the integrity of HR data stored in the plugin.
What an attacker can do
03Attacker Capabilities
Modify HR records and data without proper authorization checks.
Potential impact on your site
04Site Impact
HR data integrity is at risk; unauthorized users can alter employee records, payroll, or other sensitive HR information.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the WordPress site.
Key dates
06Disclosure timeline
July 4, 2025
CVE published
July 8, 2025
Record updated