The vulnerability in the Mamurjor Employee Info plugin for WordPress is a classic Cross‑Site Request Forgery (CWE‑352). Because the plugin does not validate nonces on multiple administrative functions, an attacker can forge a request that forces a logged‑in administrator to perform actions such as creating, updating, or deleting employee records, departments, designations, salary grades, education records, and salary payments. The impact is a breach of data integrity and potentially the exposure of sensitive payroll information. Although the attacker does not obtain direct authentication credentials, the ability to manipulate administrative data poses a significant risk for organizations relying on accurate employee information.

The affected vendor is Mamurjor, with the product Mamurjor Employee Info plugin for WordPress. All versions up to and including 1.0.0 are vulnerable, as the issue stems from missing nonce validation across the plugin's administrative interface. No other versions are affected at the time of this advisory, and the issue is specific to WordPress environments that have the plugin activated.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to trick a site administrator into executing a forged URL or form, so social engineering is a prerequisite. However, once the admin is convinced, the attacker can manipulate records without further privileges, making the risk significant for data integrity.