CVE-2026-27351
Missing Authorization in Crew HRM Due to Incorrect Access Control
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crew_hrm | crew_hrm | to 1.2.2 (inc) |
| crew_hrm | crew_hrm | From 1.2.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27351 is a Broken Access Control vulnerability in the WordPress Crew HRM Plugin, versions 1.2.2 and earlier. It occurs due to missing authorization checks, allowing users with low-level access (such as Subscriber-level users) to perform actions that normally require higher privileges.
How can this vulnerability impact me? :
This vulnerability can allow unprivileged users to execute actions beyond their intended permissions, potentially leading to unauthorized modifications or disruptions within the HRM system. Although the severity is considered low (CVSS score 5.4), it can be exploited in large-scale attacks targeting many websites, increasing the risk of data integrity issues or service interruptions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the WordPress Crew HRM Plugin (CVE-2026-27351), you should immediately update the plugin to version 1.2.3 or later, which contains the patch that fixes the broken access control issue.
If updating immediately is not possible, seek assistance from your hosting provider or developer to apply necessary fixes or workarounds.
Additionally, if you are a Patchstack user, enable auto-updates for vulnerable plugins to ensure timely patching.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Crew HRM plugin allows unprivileged users to perform actions requiring higher privileges due to missing authorization checks, which constitutes broken access control.
Such broken access control issues can lead to unauthorized access or modification of sensitive data, potentially impacting compliance with standards and regulations like GDPR and HIPAA that require strict access controls to protect personal and health information.
However, the provided information does not explicitly detail the direct impact on compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unprivileged users to perform actions requiring higher privileges due to missing authorization checks in the WordPress Crew HRM Plugin versions 1.2.2 and earlier.
To detect this vulnerability on your system, you can check the installed version of the Crew HRM plugin to see if it is version 1.2.2 or earlier, which are affected.
A common method to detect the vulnerability is to verify the plugin version via WordPress CLI or by inspecting the plugin files.
- Using WP-CLI to check plugin version: wp plugin list --status=active
- Manually check the plugin version in the plugin's main PHP file or the readme.txt file.
Additionally, to detect exploitation attempts, monitor for unauthorized actions performed by users with Subscriber-level access or other low-privilege roles.
Specific commands to detect exploitation attempts are not provided in the available resources.