CVE-2026-9237 in Crew HRM Plugininfo

Summary

by MITRE • 07/09/2026

The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete, archive, unarchive, and duplicate arbitrary job listings — along with their associated stages, meta, addresses, and applications — by supplying an arbitrary integer job_id. The nonce verified by Dispatcher::dispatch() is exposed to all authenticated front-end visitors via wp_head script localization, meaning subscribers can trivially obtain it and satisfy the nonce check without possessing any elevated privilege.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability identified in the Crew HRM plugin for WordPress represents a critical authorization bypass flaw that undermines the system's security model and exposes sensitive administrative functions to unauthorized users. This issue affects all versions up to and including 1.2.2, where the plugin fails to implement proper access control verification mechanisms for core administrative operations. The flaw specifically targets job listing management functionality, allowing authenticated users with subscriber-level privileges or higher to manipulate job postings and their associated metadata in ways that should only be permitted to administrators or privileged personnel.

The technical execution of this vulnerability stems from a fundamental flaw in the plugin's nonce implementation and access control validation processes. The Dispatcher::dispatch() method relies on a nonce for security verification, but this security token is inadvertently exposed to all authenticated front-end visitors through wp_head script localization. This exposure creates a direct pathway for attackers to obtain valid nonces without requiring elevated privileges, effectively nullifying the intended security controls. The vulnerability extends beyond simple access control by enabling attackers to perform destructive operations including deletion, archiving, unarchiving, and duplication of job listings along with all associated data elements such as application stages, metadata, addresses, and candidate applications.

The operational impact of this vulnerability is significant for organizations relying on the Crew HRM plugin for their recruitment processes. Attackers with subscriber-level access can manipulate job postings at will, potentially disrupting recruitment workflows, compromising sensitive candidate information, and causing data integrity issues. The ability to duplicate job listings also creates opportunities for data pollution and potential denial-of-service scenarios where malicious actors flood the system with duplicate entries. Furthermore, the exposure of associated metadata and application data means that confidential information about candidates and recruitment processes could be compromised, creating additional security risks beyond simple operational disruption.

The vulnerability aligns with CWE-863 (Authorization Bypass Through User-Controlled Key) and represents a clear violation of the principle of least privilege in software security design. From an attack perspective, this flaw maps to multiple ATT&CK techniques including T1078 (Valid Accounts) and T1548.002 (Abuse Elevation Control Mechanism) as it allows attackers to leverage existing valid accounts to perform privileged actions without proper authorization. The exposure of nonces through front-end script localization also reflects poor security hygiene practices that violate secure coding guidelines for nonce management and session control.

Mitigation strategies should focus on immediate plugin updates to versions that address the authorization bypass vulnerability, though organizations may need to implement additional compensating controls in the interim. Security measures must include proper nonce generation and validation mechanisms that do not expose security tokens to unauthorized users, along with robust access control verification for all administrative functions. Organizations should also consider implementing network-level restrictions or additional authentication layers for front-end operations that require elevated privileges. Regular security audits of WordPress plugins and themes should be conducted to identify similar authorization bypass vulnerabilities in other third-party components, as these issues often stem from common security design flaws that can affect multiple software packages within the same ecosystem.

Responsible

Wordfence

Reservation

05/21/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!