QwikSec

Security Database

CVE

CWE

Training

CVE-2025-5953

Published: Jul 4, 2025

Modified: Jul 8, 2025

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator.

Vendor	Product	Versions
asaquzzaman	WP Human Resource Management	affected `2.0.0 - <= 2.2.17`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/3ba33a18-429f-4a3e-b018-bdfbbe6e8482?source=cve

https://wordpress.org/plugins/hrm/#developers

https://plugins.trac.wordpress.org/browser/hrm/tags/2.2.17/class/employee.php#L89

https://plugins.trac.wordpress.org/browser/hrm/tags/2.2.17/class/employee.php#L543

https://plugins.trac.wordpress.org/browser/hrm/tags/2.2.17/class/employee.php#L591

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.