CVE-2025-5956
BaseFortify
Publication date: 2025-07-04
Last updated on: 2025-08-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mishubd | wp_human_resource_management | From 2.0.0 (inc) to 2.2.17 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WP Human Resource Management plugin for WordPress allows authenticated users with Employee-level access or higher to delete arbitrary user accounts, including administrators. This happens because the ajax_delete_employee() function does not properly check if the user has permission to delete users before passing user IDs from a client-supplied array directly to the wp_delete_user() function. As a result, attackers can delete any user account without proper authorization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized deletion of user accounts, including administrator accounts, by attackers with limited access. This could disrupt the management of the WordPress site, cause loss of important user data, and potentially lock out legitimate administrators, impacting site availability and control.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the WP Human Resource Management plugin version 2.0.0 through 2.2.17 until a secure update is released, restricting access to users with Employee-level access or higher, and monitoring user deletion activities closely. Since the plugin has been temporarily closed pending a security review, avoid using it in production environments. [1]