Skip to main content
CVE Vulnerability Database

CVE-2026-9237: Crew HRM Auth Bypass Vulnerability

CVE-2026-9237 is an authorization bypass vulnerability in the Crew HRM plugin for WordPress that allows authenticated attackers to delete and manipulate job listings. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-9237 Overview

CVE-2026-9237 is an authorization bypass vulnerability in the Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress. All versions up to and including 1.2.2 are affected. The plugin fails to verify whether an authenticated user has permission to perform sensitive job-management actions. Attackers with subscriber-level access can delete, archive, unarchive, and duplicate arbitrary job listings, along with their associated stages, meta, addresses, and applications. The nonce required by the plugin's dispatcher is exposed to any authenticated visitor through wp_head script localization, defeating the intended access control. The issue is tracked under CWE-862: Missing Authorization.

Critical Impact

Any authenticated WordPress subscriber can destroy or duplicate arbitrary HR job records and their associated applicant data by supplying a chosen job_id.

Affected Products

  • Crew HRM – Employee, Leave and Recruitment Management System plugin for WordPress
  • All versions up to and including 1.2.2
  • WordPress sites permitting subscriber-level (or higher) registration with the plugin active

Discovery Timeline

  • 2026-07-09 - CVE-2026-9237 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-9237

Vulnerability Analysis

The Crew HRM plugin routes front-end AJAX requests through a central Dispatcher::dispatch() method. The dispatcher validates a WordPress nonce before invoking a mapped controller action. However, it never verifies whether the authenticated user holds the capability required to execute the requested job-management action. The controller methods in JobManagement.php for deleting, archiving, unarchiving, and duplicating job listings therefore execute for any authenticated caller. Successful requests cascade into deletion or duplication of related database records including hiring stages, job meta, addresses, and stored applicant applications.

Root Cause

The underlying flaw is missing authorization ([CWE-862]). The plugin conflates nonce validity with authorization. Nonces prevent cross-site request forgery, but they do not establish that the caller has the required role or capability. Compounding the issue, the plugin exposes the dispatcher nonce to every logged-in front-end visitor by localizing it into a wp_head script variable. A subscriber can read the nonce from any rendered page and reuse it against privileged actions.

Attack Vector

An attacker registers or authenticates as a WordPress subscriber. The attacker loads any front-end page and extracts the localized nonce from the page source. The attacker then issues an authenticated AJAX request to the dispatcher, specifying a job-management action and an arbitrary integer job_id. The dispatcher validates the nonce, the missing capability check is skipped, and the controller performs the destructive action. Repeating the request across enumerated job_id values allows wholesale manipulation of the HR dataset.

A proof-of-concept is not required to describe the exploitation path. See the Wordfence Vulnerability Report and the plugin source at Controllers/JobManagement.php and Setup/Dispatcher.php for the vulnerable code paths.

Detection Methods for CVE-2026-9237

Indicators of Compromise

  • Unexpected deletion, archival, or duplication of job listings in the Crew HRM administration view.
  • Missing hiring stages, job meta rows, address records, or applicant applications in the plugin's database tables.
  • WordPress access logs showing admin-ajax.php POST requests from subscriber accounts referencing the plugin's dispatcher action with a job_id parameter.
  • New user registrations shortly followed by requests to the plugin's dispatch endpoint.

Detection Strategies

  • Monitor admin-ajax.php requests where the action targets the Crew HRM dispatcher and the authenticated user role is subscriber or contributor.
  • Alert on high-frequency requests from a single authenticated session referencing sequential job_id values, indicating enumeration.
  • Compare current job-listing counts and hashes against a known-good baseline to detect unauthorized removals or duplicates.

Monitoring Recommendations

  • Ingest WordPress web server access logs and PHP error logs into a centralized log platform.
  • Enable audit logging of job listing CRUD operations at the database or plugin level.
  • Track subscriber account creation rates and correlate with subsequent plugin AJAX activity.

How to Mitigate CVE-2026-9237

Immediate Actions Required

  • Update the Crew HRM plugin to a version newer than 1.2.2 once the vendor publishes a patched release.
  • Audit existing WordPress user accounts and remove or downgrade unnecessary subscriber-level accounts.
  • Review job listings, stages, and applications for unauthorized deletion or duplication and restore from backup if needed.
  • Disable open user registration until the plugin is updated.

Patch Information

The plugin source repository shows a corrective changeset at WordPress Change Set 3556031. Administrators should upgrade to the fixed release published on the WordPress plugin directory. Verify the installed plugin version is greater than 1.2.2 after applying the update.

Workarounds

  • Deactivate the Crew HRM plugin until a patched version is installed on sites permitting self-registration.
  • Restrict WordPress registration to administrator-approved accounts and disable the default subscriber role for new signups.
  • Use a web application firewall rule to block admin-ajax.php requests targeting the Crew HRM dispatcher when the requesting user is a subscriber.
  • Maintain regular database backups of the plugin's job, stage, and applicant tables to support recovery.
bash
# Example WordPress CLI check for plugin version and open registration
wp plugin get hr-management --field=version
wp option get users_can_register
# Disable open registration if not required
wp option update users_can_register 0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.