CVE-2026-27351
Deferred Deferred - Pending Action
Missing Authorization in Crew HRM Due to Incorrect Access Control

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Patchstack

Description
Missing Authorization vulnerability in Sekander Badsha Crew HRM allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crew HRM: from n/a through 1.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-27351
EUVD
EUVD-2026-33931
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
crew_hrm crew_hrm to 1.2.2 (inc)
crew_hrm crew_hrm From 1.2.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27351 is a Broken Access Control vulnerability in the WordPress Crew HRM Plugin, versions 1.2.2 and earlier. It occurs due to missing authorization checks, allowing users with low-level access (such as Subscriber-level users) to perform actions that normally require higher privileges.

Compliance Impact

The vulnerability in the Crew HRM plugin allows unprivileged users to perform actions requiring higher privileges due to missing authorization checks, which constitutes broken access control.

Such broken access control issues can lead to unauthorized access or modification of sensitive data, potentially impacting compliance with standards and regulations like GDPR and HIPAA that require strict access controls to protect personal and health information.

However, the provided information does not explicitly detail the direct impact on compliance with these regulations.

Detection Guidance

This vulnerability allows unprivileged users to perform actions requiring higher privileges due to missing authorization checks in the WordPress Crew HRM Plugin versions 1.2.2 and earlier.

To detect this vulnerability on your system, you can check the installed version of the Crew HRM plugin to see if it is version 1.2.2 or earlier, which are affected.

A common method to detect the vulnerability is to verify the plugin version via WordPress CLI or by inspecting the plugin files.

  • Using WP-CLI to check plugin version: wp plugin list --status=active
  • Manually check the plugin version in the plugin's main PHP file or the readme.txt file.

Additionally, to detect exploitation attempts, monitor for unauthorized actions performed by users with Subscriber-level access or other low-privilege roles.

Specific commands to detect exploitation attempts are not provided in the available resources.

Impact Analysis

This vulnerability can allow unprivileged users to execute actions beyond their intended permissions, potentially leading to unauthorized modifications or disruptions within the HRM system. Although the severity is considered low (CVSS score 5.4), it can be exploited in large-scale attacks targeting many websites, increasing the risk of data integrity issues or service interruptions.

Mitigation Strategies

To mitigate the vulnerability in the WordPress Crew HRM Plugin (CVE-2026-27351), you should immediately update the plugin to version 1.2.3 or later, which contains the patch that fixes the broken access control issue.

If updating immediately is not possible, seek assistance from your hosting provider or developer to apply necessary fixes or workarounds.

Additionally, if you are a Patchstack user, enable auto-updates for vulnerable plugins to ensure timely patching.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart