CVE-2026-15349 in ERP Complete HR Accounting CRM Suite Plugininfo

Summary

by MITRE • 07/17/2026

The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary company locations in the ERP database.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability identified in the ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin represents a critical authorization bypass flaw that undermines the security model of WordPress-based e-commerce platforms. This weakness affects all versions up to and including 1.17.6, creating a persistent risk for organizations relying on the plugin for enterprise resource planning and customer relationship management functionalities. The vulnerability stems from inadequate user permission validation mechanisms within the plugin's codebase, specifically in how it handles database operations related to company location management.

The technical implementation of this authorization bypass occurs when the plugin fails to properly validate user credentials and privileges before executing database modification operations. An attacker with subscriber-level access or higher can exploit this flaw to insert arbitrary company locations into the ERP database without proper authorization. This represents a direct violation of the principle of least privilege, where users should only be able to perform actions commensurate with their assigned roles. The vulnerability manifests through insufficient input sanitization and access control checks that should normally prevent unauthorized modifications to critical business data structures.

From an operational perspective, this authorization bypass creates significant risks for organizations using the plugin, particularly in enterprise environments where accurate company location data is crucial for financial reporting, human resources management, and customer relationship tracking. Attackers could potentially manipulate company location records to obscure business operations, create false billing addresses, or disrupt payroll processing systems that depend on accurate location data. The impact extends beyond simple data corruption, as it can compromise audit trails and regulatory compliance requirements within accounting and HR modules that rely on verified location information.

The vulnerability aligns with CWE-284, which describes improper access control in software applications, and can be mapped to ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting through exploitation of web application vulnerabilities. Organizations should implement immediate mitigations including patching to the latest available version, implementing network segmentation to limit access to the affected plugin functionality, and conducting thorough access control reviews. Additionally, administrators should monitor database logs for unauthorized location creation activities and consider implementing additional validation layers within the WordPress environment to detect and prevent such unauthorized modifications to ERP data structures.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!