CVE-2025-69022 MEDIUM

CVE-2025-69022: WordPress HR Management Lite plugin <= 3.6 - Broken Access Control vulnerability

Vendor Weblizar - Wordpress Themes & Plugin
Product HR Management Lite
Weakness CWE-862 · Missing authorization
Published December 30, 2025
Last update April 28, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HR Management Lite: from n/a through <= 3.6.

Explanation of Vulnerability in Simple Terms

02Summary

The HR Management Lite WordPress plugin through version 3.6 lacks proper authorization checks, allowing unauthenticated users to modify site data through user interaction. An attacker can trick a site visitor into performing actions that alter plugin settings or content. The vulnerability requires the victim to click a malicious link or visit a crafted page, but does not expose sensitive information.

What an attacker can do

03Attacker Capabilities

Trick a site visitor into modifying plugin settings or data without proper permission checks.

Potential impact on your site

04Site Impact

Site data or plugin configuration could be altered by unauthorized users if they visit a malicious link.

Conditions required to exploit

05Prerequisites

Unauthenticated attacker; victim must click a link or visit a page controlled by the attacker.

Key dates

06Disclosure timeline

December 30, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE