What the vulnerability does
01Description
Missing Authorization vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HR Management Lite: from n/a through <= 3.6.
Explanation of Vulnerability in Simple Terms
02Summary
The HR Management Lite WordPress plugin through version 3.6 lacks proper authorization checks, allowing unauthenticated users to modify site data through user interaction. An attacker can trick a site visitor into performing actions that alter plugin settings or content. The vulnerability requires the victim to click a malicious link or visit a crafted page, but does not expose sensitive information.
What an attacker can do
03Attacker Capabilities
Trick a site visitor into modifying plugin settings or data without proper permission checks.
Potential impact on your site
04Site Impact
Site data or plugin configuration could be altered by unauthorized users if they visit a malicious link.
Conditions required to exploit
05Prerequisites
Unauthenticated attacker; victim must click a link or visit a page controlled by the attacker.
Key dates
06Disclosure timeline
December 30, 2025
CVE published
April 28, 2026
Record updated