Description
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.
Published: 2026-03-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to sensitive employee data
Action: Immediate Patch
AI Analysis

Impact

The Hr Press Lite plugin for WordPress contains a missing capability check on the hrp-fetch-employees AJAX action. As a result, any authenticated user with Subscriber-level access or higher can trigger the action and retrieve sensitive employee data, including names, email addresses, phone numbers, salary or pay rate, employment dates, and employment status. This flaw leads to unauthorized disclosure of personally identifiable and financial information, violating confidentiality and potentially enabling further exploitation. The vulnerability is classified as CWE-862, a missing authorization flaw.

Affected Systems

The affected product is the Hr Press Lite WordPress plugin, codeclove:Hr Press Lite. All releases up to and including version 1.0.2 contain the flaw. WordPress sites that have installed any of these versions are vulnerable, regardless of the WordPress core version or other plugins. Administrators should verify the plugin version and update to the latest release once available.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw permits data exposure through an authenticated AJAX endpoint, any user with login credentials at the Subscriber tier can exploit it without additional prerequisites. Attackers can cheaply obtain sensitive employee information over the network by simply sending a request to the exposed AJAX handler. The overall risk is moderate, but the impact on privacy and compliance makes timely remediation critical.

Generated by OpenCVE AI on March 21, 2026 at 06:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hr Press Lite plugin to the latest version that contains the missing authorization check, or uninstall the plugin if no update is available.
  • If an update cannot be applied immediately, restrict Subscriber role permissions to prevent access to AJAX actions or remove the hrp-fetch-employees endpoint via a custom rule or security plugin.
  • Review user roles: ensure that only trusted staff have Subscriber or higher roles and consider reducing roles where possible.
  • Follow WordPress security best practices such as using strong passwords, limiting login attempts, and monitoring for suspicious activity.

Generated by OpenCVE AI on March 21, 2026 at 06:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Codeclove
Codeclove hr Press Lite
Wordpress
Wordpress wordpress
Vendors & Products Codeclove
Codeclove hr Press Lite
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.
Title Hr Press Lite <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Employee Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Codeclove Hr Press Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:23.499Z

Reserved: 2026-02-18T21:16:02.973Z

Link: CVE-2026-2720

cve-icon Vulnrichment

Updated: 2026-03-23T17:00:23.838Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:17:11.840

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-2720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:36Z

Weaknesses