CVE-2026-2720

Name of the Vulnerable Software and Affected Versions Hr Press Lite versions up to and including 1.0.2

Description The Hr Press Lite plugin for WordPress has a flaw that allows unauthorized access to sensitive employee data. This is due to a missing capability check on the hrp-fetch-employees AJAX action. Attackers with Subscriber-level access or higher can retrieve sensitive employee information, including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status. The vulnerable component is the hrp-fetch-employees AJAX action.

Recommendations Update Hr Press Lite to a version beyond 1.0.2.