CVE-2026-2720
MEDIUM
6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none
Description
AI Translation Available
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.
862
Missing Authorization
IncompleteCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Access Control
Availability
Potential Impacts:
Read Application Data
Read Files Or Directories
Modify Application Data
Modify Files Or Directories
Gain Privileges Or Assume Identity
Bypass Protection Mechanism
Dos: Crash, Exit, Or Restart
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Dos: Resource Consumption (Other)
Applicable Platforms
Technologies:
AI/ML, Database Server, Not Technology-Specific, Web Server
https://plugins.trac.wordpress.org/browser/hr-press-lite/tags/1.0.2/admin/admin…
https://plugins.trac.wordpress.org/browser/hr-press-lite/tags/1.0.2/includes/HR…
https://plugins.trac.wordpress.org/browser/hr-press-lite/trunk/admin/admin.php#…
https://plugins.trac.wordpress.org/browser/hr-press-lite/trunk/includes/HRP_Act…
https://www.wordfence.com/threat-intel/vulnerabilities/id/d2a63b8e-e16e-4702-be…