The HR Management Lite plugin for WordPress contains a Cross‑Site Request Forgery vulnerability that allows an attacker to send authenticated requests on behalf of a user. This flaw is identified as CWE‑352. While the vulnerability itself does not provide direct remote code execution or data exfiltration, it permits malicious actors to perform any action that the authenticated victim user is authorized to perform within the plugin, potentially compromising business processes or sensitive employee data. The impact is limited to privilege misuse and data integrity concerns rather than system compromise.

Vendors: Weblizar. Product: WordPress Themes & Plugin HR Management Lite. All released versions up to and including version 3.6 are affected. The vulnerability applies to any installation of HR Management Lite where the version number is not later than 3.6, with no specific sub‑version exclusions listed.

The vulnerability carries a CVSS score of 4.3, indicating moderate severity, and an EPSS score of less than 1 %, meaning exploitation is unlikely at this time. The issue is not currently listed in CISA’s KEV catalog. The most plausible attack vector is web‑based, where a malicious website or script tricks a logged‑in user into submitting a crafted request that is processed by the WordPress site, leveraging the absence or improper validation of CSRF protection mechanisms.