CVE-2026-15349 in ERP Complete HR Accounting CRM Suite Plugin
Summary
by MITRE • 07/17/2026
The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary company locations in the ERP database.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability identified in the ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin represents a critical authorization bypass flaw that undermines the security model of WordPress-based e-commerce platforms. This weakness affects all versions up to and including 1.17.6, creating a persistent risk for organizations relying on the plugin for enterprise resource planning and customer relationship management functionalities. The vulnerability stems from inadequate user permission validation mechanisms within the plugin's codebase, specifically in how it handles database operations related to company location management.
The technical implementation of this authorization bypass occurs when the plugin fails to properly validate user credentials and privileges before executing database modification operations. An attacker with subscriber-level access or higher can exploit this flaw to insert arbitrary company locations into the ERP database without proper authorization. This represents a direct violation of the principle of least privilege, where users should only be able to perform actions commensurate with their assigned roles. The vulnerability manifests through insufficient input sanitization and access control checks that should normally prevent unauthorized modifications to critical business data structures.
From an operational perspective, this authorization bypass creates significant risks for organizations using the plugin, particularly in enterprise environments where accurate company location data is crucial for financial reporting, human resources management, and customer relationship tracking. Attackers could potentially manipulate company location records to obscure business operations, create false billing addresses, or disrupt payroll processing systems that depend on accurate location data. The impact extends beyond simple data corruption, as it can compromise audit trails and regulatory compliance requirements within accounting and HR modules that rely on verified location information.
The vulnerability aligns with CWE-284, which describes improper access control in software applications, and can be mapped to ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting through exploitation of web application vulnerabilities. Organizations should implement immediate mitigations including patching to the latest available version, implementing network segmentation to limit access to the affected plugin functionality, and conducting thorough access control reviews. Additionally, administrators should monitor database logs for unauthorized location creation activities and consider implementing additional validation layers within the WordPress environment to detect and prevent such unauthorized modifications to ERP data structures.